CWE-183 - Permissive List of Allowed Inputs

Read Time:45 Second

Description

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive – that is, it allows an input that is unsafe, leading to resultant weaknesses.

Modes of Introduction:

– Implementation

Related Weaknesses

CWE-697
CWE-434

Consequences

Access Control: Bypass Protection Mechanism

Potential Mitigations

CVE References

CVE-2019-12799
- chain: bypass of untrusted deserialization issue (CWE-502) by using an assumed-trusted class (CWE-183)

CVE-2019-10458
- sandbox bypass using a method that is on an allowlist

CVE-2017-1000095
- sandbox bypass using unsafe methods that are on an allowlist

CVE-2019-10458
- CI/CD pipeline feature has unsafe elements in allowlist, allowing bypass of script restrictions

CVE-2017-1000095
- Default allowlist includes unsafe methods, allowing bypass of sandbox

Cyber Security News

CWE-183 – Permissive List of Allowed Inputs

Description

Related Weaknesses

Consequences

Potential Mitigations

CVE References

News, Advisories and much more