Tag Archives: Incorrect Control Flow Scoping

CWE-705 – Incorrect Control Flow Scoping

Read Time:31 Second

Description

The software does not properly return control flow to the proper location after it has completed a task or detected an unusual condition.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

CWE-691

 

Consequences

Other: Alter Execution Logic, Other

 

Potential Mitigations

CVE References

 

  • CVE-2014-1266
    • chain: incorrect “goto” in Apple SSL product bypasses certificate validation, allowing Adversary-in-the-Middle (AITM) attack (Apple “goto fail” bug). CWE-705 (Incorrect Control Flow Scoping) -> CWE-561 (Dead Code) -> CWE-295 (Improper Certificate Validation) -> CWE-393 (Return of Wrong Status Code) -> CWE-300 (Channel Accessible by Non-Endpoint).