Read Time:45 Second

Description

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive – that is, it allows an input that is unsafe, leading to resultant weaknesses.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-697
CWE-434

 

Consequences

Access Control: Bypass Protection Mechanism

 

Potential Mitigations

CVE References

  • CVE-2019-12799
    • chain: bypass of untrusted deserialization issue (CWE-502) by using an assumed-trusted class (CWE-183)
  • CVE-2019-10458
    • sandbox bypass using a method that is on an allowlist
  • CVE-2019-10458
    • CI/CD pipeline feature has unsafe elements in allowlist, allowing bypass of script restrictions
  • CVE-2017-1000095
    • Default allowlist includes unsafe methods, allowing bypass of sandbox