CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.8)  

Presentation Filter:

CWE-345: Insufficient Verification of Data Authenticity

 
Insufficient Verification of Data Authenticity
Weakness ID: 345 (Weakness Class)Status: Draft
+ Description

Description Summary

The software does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms

Languages

All

+ Common Consequences
ScopeEffect
Integrity
Other

Technical Impact: Varies by context; Unexpected state

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory254Security Features
Development Concepts (primary)699
ChildOfWeakness ClassWeakness Class693Protection Mechanism Failure
Research Concepts (primary)1000
ChildOfCategoryCategory724OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management
Weaknesses in OWASP Top Ten (2004) (primary)711
ChildOfCategoryCategory949SFP Secondary Cluster: Faulty Endpoint Authentication
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness BaseWeakness Base346Origin Validation Error
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base347Improper Verification of Cryptographic Signature
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base348Use of Less Trusted Source
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base349Acceptance of Extraneous Untrusted Data With Trusted Data
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base351Insufficient Type Distinction
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfCompound Element: CompositeCompound Element: Composite352Cross-Site Request Forgery (CSRF)
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base353Missing Support for Integrity Check
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base354Improper Validation of Integrity Check Value
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base360Trust of System Event Data
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant616Incomplete Identification of Uploaded File Variables (PHP)
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant646Reliance on File Name or Extension of Externally-Supplied File
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base649Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness ClassWeakness Class924Improper Enforcement of Message Integrity During Transmission in a Communication Channel
Development Concepts (primary)699
Research Concepts (primary)1000
CanAlsoBeWeakness BaseWeakness Base283Unverified Ownership
Research Concepts1000
CanAlsoBeWeakness BaseWeakness Base358Improperly Implemented Security Check for Standard
Research Concepts1000
CanAlsoBeWeakness BaseWeakness Base708Incorrect Ownership Assignment
Research Concepts1000
+ Relationship Notes

"origin validation" could fall under this.

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERInsufficient Verification of Data
OWASP Top Ten 2004A3CWE More SpecificBroken Authentication and Session Management
WASC12Content Spoofing
+ References
[REF-17] Michael Howard, David LeBlanc and John Viega. "24 Deadly Sins of Software Security". "Sin 15: Not Updating Easily." Page 231. McGraw-Hill. 2010.
+ Maintenance Notes

The specific ways in which the origin is not properly identified should be laid out as separate weaknesses. In some sense, this is more like a category.

+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Maintenance_Notes, Relationships, Relationship_Notes, Taxonomy_Mappings
2009-05-27CWE Content TeamMITREInternal
updated Related_Attack_Patterns
2009-07-27CWE Content TeamMITREInternal
updated Related_Attack_Patterns
2010-02-16CWE Content TeamMITREInternal
updated Taxonomy_Mappings
2010-04-05CWE Content TeamMITREInternal
updated Related_Attack_Patterns
2010-12-13CWE Content TeamMITREInternal
updated Related_Attack_Patterns
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2011-06-27CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated References, Related_Attack_Patterns, Relationships
2013-07-17CWE Content TeamMITREInternal
updated Relationships
2014-07-30CWE Content TeamMITREInternal
updated Relationships
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Insufficient Verification of Data
Page Last Updated: July 30, 2014