CWE
CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.1)  

CWE-344: Use of Invariant Value in Dynamically Changing Context

 
Use of Invariant Value in Dynamically Changing Context
Weakness ID: 344 (Weakness Base)Status: Draft
+ Description

Description Summary

The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.
+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms

Languages

All

+ Common Consequences
ScopeEffect
Other

Technical Impact: Varies by context

+ Observed Examples
ReferenceDescription
CVE-2002-0980Component for web browser writes an error message to a known location, which can then be referenced by attackers to process HTML/script in a less restrictive context
+ Potential Mitigations

Increase the entropy used to seed a PRNG.

Phases: Architecture and Design; Requirements

Strategy: Libraries or Frameworks

Use products or modules that conform to FIPS 140-2 [R.344.1] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C ("Approved Random Number Generators").

+ Other Notes

This is often a factor in attacks on web browsers, in which known or predictable filenames become necessary to exploit browser vulnerabilities.

+ Weakness Ordinalities
OrdinalityDescription
Primary
(where the weakness exists independent of other weaknesses)
Resultant
(where the weakness is typically related to the presence of some other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class330Use of Insufficiently Random Values
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base323Reusing a Nonce, Key Pair in Encryption
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base587Assignment of a Fixed Address to a Pointer
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base798Use of Hard-coded Credentials
Research Concepts1000
+ Relationship Notes

overlaps default configuration.

+ Relevant Properties
  • Mutability
  • Uniqueness
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERStatic Value in Unpredictable Context
+ References
[R.344.1] [REF-1] Information Technology Laboratory, National Institute of Standards and Technology. "SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES". 2001-05-25. <http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf>.
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Other_Notes, Relationship_Notes, Relevant_Properties, Taxonomy_Mappings, Weakness_Ordinalities
2009-03-10CWE Content TeamMITREInternal
updated Potential_Mitigations
2009-12-28CWE Content TeamMITREInternal
updated Potential_Mitigations
2010-02-16CWE Content TeamMITREInternal
updated Relationships
2010-06-21CWE Content TeamMITREInternal
updated Potential_Mitigations
2010-12-13CWE Content TeamMITREInternal
updated Relationships
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2011-06-27CWE Content TeamMITREInternal
updated Common_Consequences
2011-09-13CWE Content TeamMITREInternal
updated Potential_Mitigations, References
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Static Value in Unpredictable Context
Back to top
Page Last Updated: September 12, 2011
 

CWE is a Software Assurance strategic initiative co-sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.

This Web site is sponsored and managed by The MITRE Corporation to enable stakeholder collaboration. Copyright © 2006-2012, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.

Contact cwe@mitre.org for more information.
Privacy policy
Terms of use
Contact us