Read Time:43 Second
Description
The software does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a letter (A-Z).
Modes of Introduction:
– Architecture and Design
Related Weaknesses
Consequences
Integrity, Other: Varies by Context, Unexpected State
Potential Mitigations
Phase: Implementation
Description:
Phase: Implementation
Description:
Inputs should be decoded and canonicalized to the application’s current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
CVE References
- CVE-1999-1156
- FTP server crash via PORT command with non-numeric character.
- CVE-2004-0270
- Anti-virus product has assert error when line length is non-numeric.