CWE-657 Detail

CWE-657

Violation of Secure Design Principles
Draft
2008-01-30
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Notifications for a CWE
Stay informed of any changes for a specific CWE.
Notifications manage

Name: Violation of Secure Design Principles

The product violates well-established principles for secure design.

CWE Description

This can introduce resultant weaknesses or make it easier for developers to introduce related weaknesses during implementation. Because code is centered around design, it can be resource-intensive to fix design problems.

General Informations

Modes Of Introduction

Architecture and Design

Applicable Platforms

Language

Class: Not Language-Specific (Undetermined)

Operating Systems

Class: Not OS-Specific (Undetermined)

Technologies

Class: Not Technology-Specific (Undetermined)

Common Consequences

Scope Impact Likelihood
OtherOther

Observed Examples

References Description

CVE-2019-6260

Baseboard Management Controller (BMC) device implements Advanced High-performance Bus (AHB) bridges that do not require authentication for arbitrary read and write access to the BMC's physical address space from the host, and possibly the network [REF-1138].

CVE-2007-5277

The failure of connection attempts in a web browser resets DNS pin restrictions. An attacker can then bypass the same origin policy by rebinding a domain name to a different IP address. This was an attempt to "fail functional."

CVE-2006-7142

Hard-coded cryptographic key stored in executable program.

CVE-2007-0408

Server does not properly validate client certificates when reusing cached connections.

Vulnerability Mapping Notes

Justification : This CWE entry is a level-1 Class (i.e., a child of a Pillar). It might have lower-level children that would be more appropriate
Comment : Examine children of this entry to see if there is a better fit

References

REF-196

The Protection of Information in Computer Systems
Jerome H. Saltzer, Michael D. Schroeder.
http://web.mit.edu/Saltzer/www/publications/protection/

REF-546

Design Principles
Sean Barnum, Michael Gegick.
https://web.archive.org/web/20220126060046/https://www.cisa.gov/uscert/bsi/articles/knowledge/principles/design-principles

REF-542

RFC: 793, TRANSMISSION CONTROL PROTOCOL
Jon Postel, Editor.
https://www.ietf.org/rfc/rfc793.txt

REF-1138

CVE-2019-6260: Gaining control of BMC from the host processor
Stewart Smith.
https://www.flamingspork.com/blog/2019/01/23/cve-2019-6260:-gaining-control-of-bmc-from-the-host-processor/

REF-1314

ICS Alert (ICS-ALERT-20-063-01): SweynTooth Vulnerabilities
ICS-CERT.
https://www.cisa.gov/news-events/ics-alerts/ics-alert-20-063-01

REF-1315

Unleashing Mayhem over Bluetooth Low Energy
Matheus E. Garbelini, Sudipta Chattopadhyay, Chundong Wang, Singapore University of Technology and Design.
https://asset-group.github.io/disclosures/sweyntooth/

Submission

Name Organization Date Date release Version
CWE Community 2008-01-30 +00:00 2008-01-30 +00:00 Draft 8

Modifications

Name Organization Date Comment
Eric Dalci Cigital 2008-07-01 +00:00 updated Time_of_Introduction
CWE Content Team MITRE 2008-09-08 +00:00 updated Description, Relationships
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences
CWE Content Team MITRE 2012-05-11 +00:00 updated Relationships
CWE Content Team MITRE 2014-07-30 +00:00 updated Relationships
CWE Content Team MITRE 2017-01-19 +00:00 updated Relationships
CWE Content Team MITRE 2020-02-24 +00:00 updated Relationships
CWE Content Team MITRE 2021-10-28 +00:00 updated Relationships
CWE Content Team MITRE 2022-10-13 +00:00 updated References
CWE Content Team MITRE 2023-01-31 +00:00 updated Maintenance_Notes, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2023-04-27 +00:00 updated References, Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2023-10-26 +00:00 updated Demonstrative_Examples, Observed_Examples, References
CWE Content Team MITRE 2024-02-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2025-09-09 +00:00 updated Demonstrative_Examples, References
CWE Content Team MITRE 2025-12-11 +00:00 updated Applicable_Platforms, Maintenance_Notes, Relationships, Time_of_Introduction, Weakness_Ordinalities
The information presented on CVE Find originates from several carefully selected reference sources. CVE data is provided by MITRE Corporation and the National Vulnerability Database (NVD). The Known Exploited Vulnerabilities (KEV) catalog is sourced from the Cybersecurity and Infrastructure Security Agency (CISA), while EPSS scores come from FIRST.org. Additionally, data regarding software weaknesses (CWE) and common attack patterns (CAPEC) is maintained by MITRE Corporation, and information on hardware and software configurations (CPE) is provided by the NVD.