CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.7)  

Presentation Filter:

CWE-345: Insufficient Verification of Data Authenticity

 
Insufficient Verification of Data Authenticity
Weakness ID: 345 (Weakness Class)Status: Draft
+ Description

Description Summary

The software does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms

Languages

All

+ Common Consequences
ScopeEffect

Technical Impact: Varies by context; Unexpected state

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory254Security Features
Development Concepts (primary)699
ChildOfWeakness ClassWeakness Class693Protection Mechanism Failure
Research Concepts (primary)1000
ChildOfCategoryCategory724OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management
Weaknesses in OWASP Top Ten (2004) (primary)711
ChildOfCategoryCategory898SFP Cluster: Authentication
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base346Origin Validation Error
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base347Improper Verification of Cryptographic Signature
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base348Use of Less Trusted Source
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base349Acceptance of Extraneous Untrusted Data With Trusted Data
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base351Insufficient Type Distinction
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfCompound Element: CompositeCompound Element: Composite352Cross-Site Request Forgery (CSRF)
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base353Missing Support for Integrity Check
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base354Improper Validation of Integrity Check Value
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base360Trust of System Event Data
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant616Incomplete Identification of Uploaded File Variables (PHP)
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant646Reliance on File Name or Extension of Externally-Supplied File
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base649Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness ClassWeakness Class924Improper Enforcement of Message Integrity During Transmission in a Communication Channel
Development Concepts (primary)699
Research Concepts (primary)1000
CanAlsoBeWeakness BaseWeakness Base283Unverified Ownership
Research Concepts1000
CanAlsoBeWeakness BaseWeakness Base358Improperly Implemented Security Check for Standard
Research Concepts1000
CanAlsoBeWeakness BaseWeakness Base708Incorrect Ownership Assignment
Research Concepts1000
+ Relationship Notes

"origin validation" could fall under this.

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERInsufficient Verification of Data
OWASP Top Ten 2004A3Broken Authentication and Session Management
WASC12Content Spoofing
+ References
[REF-17] Michael Howard, David LeBlanc and John Viega. "24 Deadly Sins of Software Security". "Sin 15: Not Updating Easily." Page 231. McGraw-Hill. 2010.
+ Maintenance Notes

The specific ways in which the origin is not properly identified should be laid out as separate weaknesses. In some sense, this is more like a category.

+ Content History
Submissions
Submission DateSubmitterOrganizationSource
Externally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01CigitalExternal
updated Time_of_Introduction
2008-09-08MITREInternal
updated Maintenance_Notes, Relationships, Relationship_Notes, Taxonomy_Mappings
2009-05-27MITREInternal
updated Related_Attack_Patterns
2009-07-27MITREInternal
updated Related_Attack_Patterns
2010-02-16MITREInternal
updated Taxonomy_Mappings
2010-04-05MITREInternal
updated Related_Attack_Patterns
2010-12-13MITREInternal
updated Related_Attack_Patterns
2011-06-01MITREInternal
updated Common_Consequences
2011-06-27MITREInternal
updated Common_Consequences
2012-05-11MITREInternal
updated References, Related_Attack_Patterns, Relationships
2013-07-17MITREInternal
updated Relationships
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Insufficient Verification of Data
Page Last Updated: June 23, 2014