Use of Invariant Value in Dynamically Changing Context

Draft Base

Structure: Simple

Description

The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.

Common Consequences 1

Scope: Other

Impact: Varies by Context

Demonstrative Examples 2

ID : DX-14

The following code is an example of an internal hard-coded password in the back-end:

Code Example:Bad
C
c

Code Example:Bad
Java
java

Every instance of this program can be placed into diagnostic mode with the same password. Even worse is the fact that if this program is distributed as a binary-only distribution, it is very difficult to change that password or disable this "functionality."

ID : DX-192

This code assumes a particular function will always be found at a particular address. It assigns a pointer to that address and calls the function.

Code Example:

Bad

// Here we can inject code to execute.*

The same function may not always be found at the same memory address. This could lead to a crash, or an attacker may alter the memory at the expected address, leading to arbitrary code execution.

Observed Examples 1

CVE-2002-0980Component for web browser writes an error message to a known location, which can then be referenced by attackers to process HTML/script in a less restrictive context

References 1

FIPS PUB 140-2: SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES

Information Technology Laboratory, National Institute of Standards and Technology

25-05-2001

https://csrc.nist.gov/files/pubs/fips/140-2/upd2/final/docs/fips1402.pdf(2025-05-21)

ID: REF-267

Applicable Platforms

Languages:

Not Language-Specific : Undetermined

Modes of Introduction

Architecture and Design

Implementation

Related Weaknesses

ChildOf:

Use of Insufficiently Random Values (CWE-330)

Taxonomy Mapping

PLOVER

Notes

Relationshipoverlaps default configuration.