Modes Of Introduction
Implementation : Developers often try to protect their products against malicious input by checking against lists of known bad inputs, such as special characters that can invoke new commands. However, such lists often only address the most well-known bad inputs. As a quick fix, developers might rely on these lists instead of addressing the root cause of the issue. See [REF-141].
Architecture and Design : The design might rely solely on detection of malicious inputs as a protection mechanism.
Applicable Platforms
Language
Class: Not Language-Specific (Undetermined)
Common Consequences
Scope |
Impact |
Likelihood |
Access Control | Bypass Protection Mechanism
Note: Attackers may be able to find other malicious inputs that were not expected by the developer, allowing them to bypass the intended protection mechanism. | |
Observed Examples
Reference |
Description |
CVE-2024-4315 | Chain: API for text generation using Large Language Models (LLMs) does
not include the "\" Windows folder separator in its denylist (CWE-184)
when attempting to prevent Local File Inclusion via path traversal
(CWE-22), allowing deletion of arbitrary files on Windows systems. |
CVE-2008-2309 | product uses a denylist to identify potentially dangerous content, allowing attacker to bypass a warning |
CVE-2005-2782 | PHP remote file inclusion in web application that filters "http" and "https" URLs, but not "ftp". |
CVE-2004-0542 | Programming language does not filter certain shell metacharacters in Windows environment. |
CVE-2004-0595 | XSS filter doesn't filter null characters before looking for dangerous tags, which are ignored by web browsers. MIE and validate-before-cleanse. |
CVE-2005-3287 | Web-based mail product doesn't restrict dangerous extensions such as ASPX on a web server, even though others are prohibited. |
CVE-2004-2351 | Resultant XSS when only
|