CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.11)  
ID

CWE-344: Use of Invariant Value in Dynamically Changing Context

Weakness ID: 344
Abstraction: Base
Status: Draft
Presentation Filter:
+ Description

Description Summary

The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.
+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms

Languages

All

+ Common Consequences
ScopeEffect
Other

Technical Impact: Varies by context

+ Observed Examples
ReferenceDescription
Component for web browser writes an error message to a known location, which can then be referenced by attackers to process HTML/script in a less restrictive context
+ Weakness Ordinalities
OrdinalityDescription
Primary
(where the weakness exists independent of other weaknesses)
Resultant
(where the weakness is typically related to the presence of some other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class330Use of Insufficiently Random Values
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfCategoryCategory905SFP Primary Cluster: Predictability
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base323Reusing a Nonce, Key Pair in Encryption
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base587Assignment of a Fixed Address to a Pointer
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base798Use of Hard-coded Credentials
Research Concepts1000
+ Relationship Notes

overlaps default configuration.

+ Relevant Properties
  • Mutability
  • Uniqueness
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERStatic Value in Unpredictable Context
+ References
[R.344.1] [REF-1] Information Technology Laboratory, National Institute of Standards and Technology. "SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES". 2001-05-25. <http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf>.
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Other_Notes, Relationship_Notes, Relevant_Properties, Taxonomy_Mappings, Weakness_Ordinalities
2009-03-10CWE Content TeamMITREInternal
updated Potential_Mitigations
2009-12-28CWE Content TeamMITREInternal
updated Potential_Mitigations
2010-02-16CWE Content TeamMITREInternal
updated Relationships
2010-06-21CWE Content TeamMITREInternal
updated Potential_Mitigations
2010-12-13CWE Content TeamMITREInternal
updated Relationships
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2011-06-27CWE Content TeamMITREInternal
updated Common_Consequences
2011-09-13CWE Content TeamMITREInternal
updated Potential_Mitigations, References
2012-05-11CWE Content TeamMITREInternal
updated Relationships
2012-10-30CWE Content TeamMITREInternal
updated Potential_Mitigations
2014-06-23CWE Content TeamMITREInternal
updated Other_Notes
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Static Value in Unpredictable Context

More information is available — Please select a different filter.
Page Last Updated: May 05, 2017