CWE-349 - Acceptance of Extraneous Untrusted Data With Trusted Data

Read Time:33 Second

Description

The software, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted.

Modes of Introduction:

– Architecture and Design

Related Weaknesses

CWE-345

Consequences

Access Control, Integrity: Bypass Protection Mechanism, Modify Application Data

An attacker could package untrusted data with trusted data to bypass protection mechanisms to gain access to and possibly modify sensitive data.

Potential Mitigations

CVE References

CVE-2002-0018
- Does not verify that trusted entity is authoritative for all entities in its response.

CVE-2006-5462
- use of extra data in a signature allows certificate signature forging

InAcceptance of Extraneous Untrusted Data With Trusted Data, CVE-2002-0018, CWE- 349

The Most Dangerous Vulnerabilities in Apache Tomcat and How to Protect Against Them

Apache Tomcat is an open-source web server and servlet container that is widely used in enterprise environments to run Java...

rocco

February 19, 2023February 19, 2023

ZDI-CAN-18333: A Critical Zero-Day Vulnerability in Microsoft Windows

Zero-day vulnerabilities are a serious threat to cybersecurity, as they can be exploited by malicious actors to gain unauthorized access...

rocco

February 19, 2023February 19, 2023

CWE-669 – Incorrect Resource Transfer Between Spheres

Description The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere,...

rocco

May 26, 2022