Détail du CWE-1293

CWE-1293

Missing Source Correlation of Multiple Independent Data
Draft
2020-08-20
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Notifications pour un CWE
Restez informé de toutes modifications pour un CWE spécifique.
Gestion des notifications

Nom: Missing Source Correlation of Multiple Independent Data

The product relies on one source of data, preventing the ability to detect if an adversary has compromised a data source.

Informations générales

Modes d'introduction

Architecture and Design : This flaw could be introduced during the design of the application or misconfiguration at run time by only specifying a single point of validation.
Implementation : Such issues could be introduced during hardware implementation, then identified later during Testing or System Configuration phases.
Operation : This weakness could be introduced by intentionally failing all but one of the devices used to retrieve the data or by failing the devices that validate the data.

Plateformes applicables

Langue

Class: Not Language-Specific (Undetermined)

Systèmes d’exploitation

Class: Not OS-Specific (Undetermined)

Architectures

Class: Not Architecture-Specific (Undetermined)

Technologies

Class: Not Technology-Specific (Undetermined)

Conséquences courantes

Portée Impact Probabilité
Confidentiality
Integrity		Read Application Data, Modify Application Data, Gain Privileges or Assume Identity

Note: An attacker that may be able to execute a single Person-in-the-Middle attack can subvert a check of an external oracle (e.g. the ACME protocol check for a file on a website), and thus inject an arbitrary reply to the single perspective request to the external oracle.

Mesures d’atténuation potentielles

Phases : Requirements
Design system to use a Practical Byzantine fault method, to request information from multiple sources to verify the data and report on potentially compromised information sources.
Phases : Implementation
Failure to use a Practical Byzantine fault method when requesting data. Lack of place to report potentially compromised information sources. Relying on non-independent information sources for integrity checking. Failure to report information sources that respond in the minority to incident response procedures.

Notes de cartographie des vulnérabilités

Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Commentaire : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Références

REF-1125

Validation Vulnerabilities
moparisthebest.
https://mailarchive.ietf.org/arch/msg/acme/s6Q5PdJP48LEUwgzrVuw_XPKCsM/

REF-1126

Multi-Perspective Validation Improves Domain Validation Security
Josh Aas, Daniel McCarney, Roland Shoemaker.
https://letsencrypt.org/2020/02/19/multi-perspective-validation

REF-1127

Practical Byzantine Fault Tolerance and Proactive Recovery
Miguel Castro, Barbara Liskov.
https://dl.acm.org/doi/pdf/10.1145/571637.571640

Soumission

Nom Organisation Date Date de publication Version
Kurt Seifried Cloud Security Alliance 2020-04-03 +00:00 2020-08-20 +00:00 4.2

Modifications

Nom Organisation Date Commentaire
CWE Content Team MITRE 2020-12-10 +00:00 updated Description, Relationships
CWE Content Team MITRE 2023-01-31 +00:00 updated Description
CWE Content Team MITRE 2023-04-27 +00:00 updated Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2025-09-09 +00:00 updated References
CWE Content Team MITRE 2025-12-11 +00:00 updated Weakness_Ordinalities
Les informations affichées sur CVE Find proviennent de plusieurs sources de référence rigoureusement sélectionnées. Les données CVE sont fournies par MITRE Corporation et la National Vulnerability Database (NVD). Le catalogue des vulnérabilités activement exploitées (KEV) provient de la Cybersecurity and Infrastructure Security Agency (CISA), tandis que les scores EPSS sont issus de FIRST.org. Enfin, les données relatives aux faiblesses logicielles (CWE) et aux schémas d'attaque courants (CAPEC) sont maintenues par MITRE Corporation, et les informations sur les configurations logicielles et matérielles (CPE) proviennent du NVD.