CWE-628 Detail

CWE-628

Function Call with Incorrectly Specified Arguments
Draft
2007-05-07
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Notifiche per un CWE specifico
Rimani informato su qualsiasi modifica relativa a un CWE specifico.
Gestione notifiche

Nome: Function Call with Incorrectly Specified Arguments

The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses.

General Informations

Modes Of Introduction

Implementation

Piattaforme applicabili

Linguaggio

Class: Not Language-Specific (Undetermined)

Conseguenze comuni

Ambito Impatto Probabilità
Other
Access Control		Quality Degradation, Gain Privileges or Assume Identity

Note: This weakness can cause unintended behavior and can lead to additional weaknesses such as allowing an attacker to gain unintended access to system resources.

Esempi osservati

Riferimenti Descrizione

CVE-2006-7049

The method calls the functions with the wrong argument order, which allows remote attackers to bypass intended access restrictions.

Potential Mitigations

Phases : Build and Compilation
Once found, these issues are easy to fix. Use code inspection tools and relevant compiler features to identify potential violations. Pay special attention to code that is not likely to be exercised heavily during QA.
Phases : Architecture and Design
Make sure your API's are stable before you use them in production code.

Detection Methods

Other

Since these bugs typically introduce incorrect behavior that is obvious to users, they are found quickly, unless they occur in rarely-tested code paths. Managing the correct number of arguments can be made more difficult in cases where format strings are used, or when variable numbers of arguments are supported.

Note sulla mappatura delle vulnerabilità

Giustificazione : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Commento : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Invio

Nome Organizzazione Data Data di rilascio Version
CWE Content Team MITRE 2007-05-07 +00:00 2007-05-07 +00:00 Draft 6

Modifiche

Nome Organizzazione Data Commento
CWE Content Team MITRE 2008-09-08 +00:00 updated Description, Relationships, Other_Notes, Weakness_Ordinalities
CWE Content Team MITRE 2008-11-24 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2009-10-29 +00:00 updated Detection_Factors, Other_Notes, Weakness_Ordinalities
CWE Content Team MITRE 2010-02-16 +00:00 updated Detection_Factors
CWE Content Team MITRE 2010-06-21 +00:00 updated Description
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences
CWE Content Team MITRE 2011-06-27 +00:00 updated Common_Consequences
CWE Content Team MITRE 2012-05-11 +00:00 updated Common_Consequences, Demonstrative_Examples, Relationships
CWE Content Team MITRE 2012-10-30 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2014-07-30 +00:00 updated Relationships
CWE Content Team MITRE 2017-11-08 +00:00 updated Applicable_Platforms, Taxonomy_Mappings
CWE Content Team MITRE 2019-01-03 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2020-02-24 +00:00 updated Relationships
CWE Content Team MITRE 2021-03-15 +00:00 updated Detection_Factors, Relationships
CWE Content Team MITRE 2023-04-27 +00:00 updated Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2025-12-11 +00:00 updated Relationships
Le informazioni presentate su CVE Find provengono da diverse fonti di riferimento attentamente selezionate. I dati CVE sono forniti da MITRE Corporation e dal National Vulnerability Database (NVD). Il catalogo delle vulnerabilità sfruttate conosciute (KEV) proviene dalla Cybersecurity and Infrastructure Security Agency (CISA), mentre i punteggi EPSS provengono da FIRST.org. Inoltre, i dati relativi alle vulnerabilità software (CWE) e ai pattern di attacco comuni (CAPEC) sono mantenuti da MITRE Corporation, e le informazioni sulle configurazioni hardware e software (CPE) sono fornite da NVD.