Détail du CWE-110

Validation fields that do not appear in forms they are associated with indicate that the validation logic is out of date.

It is easy for developers to forget to update validation logic when they make changes to an ActionForm class. One indication that validation logic is not being properly maintained is inconsistencies between the action form and the validation form.

Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack.

Modes d'introduction

Implementation
Operation

Plateformes applicables

Langue

Name: Java (Undetermined)

Conséquences courantes

Méthodes de détection

Automated Static Analysis

To find the issue in the implementation, manual checks or automated static analysis could be applied to the XML configuration files.
Efficacité : Moderate

Manual Static Analysis

To find the issue in the implementation, manual checks or automated static analysis could be applied to the XML configuration files.
Efficacité : Moderate

Notes de cartographie des vulnérabilités

Justification : This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Commentaire : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Références

REF-6

Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors
Katrina Tsipenyuk, Brian Chess, Gary McGraw.
https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf

Soumission

Modifications