Modes d'introduction
Implementation : Some products use the same ActionForm for more than one purpose. In situations like this, some fields may go unused under some action mappings.
Plateformes applicables
Langue
Name: Java (Undetermined)
Conséquences courantes
Portée |
Impact |
Probabilité |
Integrity | Unexpected State | |
Integrity | Bypass Protection Mechanism
Note: If unused fields are not validated, shared business logic in an action may allow attackers to bypass the validation checks that are performed for other uses of the form. | |
Mesures d’atténuation potentielles
Phases : Implementation
Validate all form fields. If a field is unused, it is still important to constrain it so that it is empty or undefined.
Notes de cartographie des vulnérabilités
Justification : This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Commentaire : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
Références
REF-6
Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors
Katrina Tsipenyuk, Brian Chess, Gary McGraw.
https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf
Soumission
Nom |
Organisation |
Date |
Date de publication |
Version |
7 Pernicious Kingdoms |
|
2006-07-19 +00:00 |
2006-07-19 +00:00 |
Draft 3 |
Modifications
Nom |
Organisation |
Date |
Commentaire |
Eric Dalci |
Cigital |
2008-07-01 +00:00 |
updated Time_of_Introduction |
CWE Content Team |
MITRE |
2008-09-08 +00:00 |
updated Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities |
CWE Content Team |
MITRE |
2010-06-21 +00:00 |
updated Demonstrative_Examples |
CWE Content Team |
MITRE |
2011-06-01 +00:00 |
updated Common_Consequences |
CWE Content Team |
MITRE |
2011-06-27 +00:00 |
updated Common_Consequences |
CWE Content Team |
MITRE |
2012-05-11 +00:00 |
updated Relationships |
CWE Content Team |
MITRE |
2012-10-30 +00:00 |
updated Potential_Mitigations |
CWE Content Team |
MITRE |
2014-06-23 +00:00 |
updated Common_Consequences, Description, Modes_of_Introduction, Other_Notes |
CWE Content Team |
MITRE |
2014-07-30 +00:00 |
updated Relationships, Taxonomy_Mappings |
CWE Content Team |
MITRE |
2017-11-08 +00:00 |
updated Causal_Nature, Relationships |
CWE Content Team |
MITRE |
2019-01-03 +00:00 |
updated Relationships |
CWE Content Team |
MITRE |
2020-02-24 +00:00 |
updated References, Relationships |
CWE Content Team |
MITRE |
2021-07-20 +00:00 |
updated Potential_Mitigations |
CWE Content Team |
MITRE |
2023-01-31 +00:00 |
updated Description, Modes_of_Introduction |
CWE Content Team |
MITRE |
2023-04-27 +00:00 |
updated Relationships |
CWE Content Team |
MITRE |
2023-06-29 +00:00 |
updated Mapping_Notes |