Acceptance of Extraneous Untrusted Data With Trusted Data
Draft Base
Structure: Simple
Description
The product, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted.
Common Consequences 1
Scope: Access ControlIntegrity
Impact: Bypass Protection MechanismModify Application Data
An attacker could package untrusted data with trusted data to bypass protection mechanisms to gain access to and possibly modify sensitive data.
Observed Examples 2
CVE-2002-0018Does not verify that trusted entity is authoritative for all entities in its response.
CVE-2006-5462use of extra data in a signature allows certificate signature forging
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Implementation
Related Weaknesses
Taxonomy Mapping
- PLOVER
- The CERT Oracle Secure Coding Standard for Java (2011)