Detalle CWE-628

CWE-628

Function Call with Incorrectly Specified Arguments
Draft
2007-05-07
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Notificaciones para un CWE
Manténgase informado sobre cualquier cambio en un CWE específico.
Gestionar notificaciones

Nombre: Function Call with Incorrectly Specified Arguments

The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses.

Informaciones generales

Modos de introducción

Implementation

Plataformas aplicables

Lenguaje

Class: Not Language-Specific (Undetermined)

Consecuencias comunes

Alcance Impacto Probabilidad
Other
Access Control		Quality Degradation, Gain Privileges or Assume Identity

Note: This weakness can cause unintended behavior and can lead to additional weaknesses such as allowing an attacker to gain unintended access to system resources.

Ejemplos observados

Referencias Descripción

CVE-2006-7049

The method calls the functions with the wrong argument order, which allows remote attackers to bypass intended access restrictions.

Mitigaciones potenciales

Phases : Build and Compilation
Once found, these issues are easy to fix. Use code inspection tools and relevant compiler features to identify potential violations. Pay special attention to code that is not likely to be exercised heavily during QA.
Phases : Architecture and Design
Make sure your API's are stable before you use them in production code.

Métodos de detección

Other

Since these bugs typically introduce incorrect behavior that is obvious to users, they are found quickly, unless they occur in rarely-tested code paths. Managing the correct number of arguments can be made more difficult in cases where format strings are used, or when variable numbers of arguments are supported.

Notas de mapeo de vulnerabilidades

Justificación : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comentario : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Envío

Nombre Organización Fecha Fecha de lanzamiento Version
CWE Content Team MITRE 2007-05-07 +00:00 2007-05-07 +00:00 Draft 6

Modificaciones

Nombre Organización Fecha Comentario
CWE Content Team MITRE 2008-09-08 +00:00 updated Description, Relationships, Other_Notes, Weakness_Ordinalities
CWE Content Team MITRE 2008-11-24 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2009-10-29 +00:00 updated Detection_Factors, Other_Notes, Weakness_Ordinalities
CWE Content Team MITRE 2010-02-16 +00:00 updated Detection_Factors
CWE Content Team MITRE 2010-06-21 +00:00 updated Description
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences
CWE Content Team MITRE 2011-06-27 +00:00 updated Common_Consequences
CWE Content Team MITRE 2012-05-11 +00:00 updated Common_Consequences, Demonstrative_Examples, Relationships
CWE Content Team MITRE 2012-10-30 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2014-07-30 +00:00 updated Relationships
CWE Content Team MITRE 2017-11-08 +00:00 updated Applicable_Platforms, Taxonomy_Mappings
CWE Content Team MITRE 2019-01-03 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2020-02-24 +00:00 updated Relationships
CWE Content Team MITRE 2021-03-15 +00:00 updated Detection_Factors, Relationships
CWE Content Team MITRE 2023-04-27 +00:00 updated Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2025-12-11 +00:00 updated Relationships
La información presentada en CVE Find proviene de varias fuentes de referencia cuidadosamente seleccionadas. Los datos CVE son proporcionados por MITRE Corporation y la Base de Datos Nacional de Vulnerabilidades (NVD). El catálogo de Vulnerabilidades Explotadas Conocidas (KEV) proviene de la Agencia de Seguridad de Infraestructura y Ciberseguridad (CISA), mientras que las puntuaciones EPSS provienen de FIRST.org. Además, los datos sobre debilidades de software (CWE) y patrones de ataque comunes (CAPEC) son mantenidos por MITRE Corporation, y la información sobre configuraciones de hardware y software (CPE) es proporcionada por la NVD.