Read Time:43 Second

Description

The software does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a letter (A-Z).

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-228

 

Consequences

Integrity, Other: Varies by Context, Unexpected State

 

Potential Mitigations

Phase: Implementation

Description: 

Phase: Implementation

Description: 

Inputs should be decoded and canonicalized to the application’s current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

CVE References

  • CVE-1999-1156
    • FTP server crash via PORT command with non-numeric character.
  • CVE-2004-0270
    • Anti-virus product has assert error when line length is non-numeric.