Read Time:33 Second

Description

The software, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-345

 

Consequences

Access Control, Integrity: Bypass Protection Mechanism, Modify Application Data

An attacker could package untrusted data with trusted data to bypass protection mechanisms to gain access to and possibly modify sensitive data.

 

Potential Mitigations

CVE References

  • CVE-2002-0018
    • Does not verify that trusted entity is authoritative for all entities in its response.
  • CVE-2006-5462
    • use of extra data in a signature allows certificate signature forging