Acceptance of Extraneous Untrusted Data With Trusted Data| ID: 349 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: DRAFT |
| Abstraction Type: Base |
Description
The software, when processing trusted data, accepts any
untrusted data that is also included with the trusted data, treating the
untrusted data as if it were trusted.
Applicable PlatformsLanguage Class: All
Time Of Introduction
- Architecture and Design
- Implementation
Related Attack Patterns
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| Access_ControlIntegrity | Bypass protection
mechanismModify application
data | An attacker could package untrusted data with trusted data to bypass
protection mechanisms to gain access to and possibly modify sensitive
data. |
Detection MethodsNone
Potential MitigationsNone
Relationships
| Related CWE | Type | View | Chain |
|---|
| CWE-349 ChildOf CWE-907 | Category | CWE-888 | |
Demonstrative ExamplesNone
Observed Examples
- CVE-2002-0018 : Does not verify that trusted entity is authoritative for all entities in its response.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
| Taxynomy | Id | Name | Fit |
|---|
| PLOVER | | Untrusted Data Appended with Trusted Data | |
| CERT Java Secure Coding | ENV01-J | Place all security-sensitive code in a single JAR and sign and
seal it | |
References:None
