Data Validation Issues
A category in the Common Weakness Enumeration published by The MITRE Corporation.
Summary
Categories in the Common Weakness Enumeration (CWE) group entries based on some common characteristic or attribute.
Weaknesses in this category are related to a software system's components for input validation, output validation, or other kinds of validation. Validation is a frequently-used technique for ensuring that data conforms to expectations before it is further processed as input or output. There are many varieties of validation (see CWE-20, which is just for input validation). Validation is distinct from other techniques that attempt to modify data before processing it, although developers may consider all attempts to product "safe" inputs or outputs as some kind of validation. Regardless, validation is a powerful tool that is often used to minimize malformed data from entering the system, or indirectly avoid code injection or other potentially-malicious patterns when generating output. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed.
Weaknesses
The product constructs the name of a file or other resource using input from an upstream component, but it does not restrict or incorrectly restricts the resulting name.
The product does not use, or incorrectly uses, an input validation framework that is provided by the source language or an independent library.
The product receives a complex input with multiple elements or fields that must be consistent with each other, but it does not validate or incorrectly validates that t...
The product receives input that is expected to specify an index, position, or offset into an indexable resource such as a buffer or file, but it does not validate or i...
The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the...
The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.
The product receives input that is expected to be well-formed - i.e., to comply with a certain syntax - but it does not validate or incorrectly validates that the inpu...
The product receives an input value that is used as a resource identifier or other type of reference, but it does not validate or incorrectly validates that the input ...
The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other actio...
The product validates input before applying protection mechanisms that modify the input, which could allow an attacker to bypass the validation via dangerous inputs th...
The product accepts XML from an untrusted source but does not validate the XML against the proper schema.
The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are as...
The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because of excessive loo...
Concepts
This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development l...
Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.