CWE
CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.4)  

CWE-345: Insufficient Verification of Data Authenticity

 
Insufficient Verification of Data Authenticity
Weakness ID: 345 (Weakness Class)Status: Draft
+ Description

Description Summary

The software does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms

Languages

All

+ Common Consequences
ScopeEffect
Integrity
Other

Technical Impact: Varies by context; Unexpected state

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory254Security Features
Development Concepts (primary)699
ChildOfWeakness ClassWeakness Class693Protection Mechanism Failure
Research Concepts (primary)1000
ChildOfCategoryCategory724OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management
Weaknesses in OWASP Top Ten (2004) (primary)711
ChildOfCategoryCategory898SFP Cluster: Authentication
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant247Reliance on DNS Lookups in a Security Decision
Research Concepts1000
ParentOfWeakness VariantWeakness Variant297Improper Validation of Certificate with Host Mismatch
Research Concepts1000
ParentOfWeakness BaseWeakness Base322Key Exchange without Entity Authentication
Research Concepts1000
ParentOfWeakness BaseWeakness Base346Origin Validation Error
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base347Improper Verification of Cryptographic Signature
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base348Use of Less Trusted Source
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base349Acceptance of Extraneous Untrusted Data With Trusted Data
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base350Improperly Trusted Reverse DNS
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base351Insufficient Type Distinction
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfCompound Element: CompositeCompound Element: Composite352Cross-Site Request Forgery (CSRF)
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base353Missing Support for Integrity Check
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base354Improper Validation of Integrity Check Value
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base360Trust of System Event Data
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant616Incomplete Identification of Uploaded File Variables (PHP)
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant646Reliance on File Name or Extension of Externally-Supplied File
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base649Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking
Development Concepts (primary)699
Research Concepts (primary)1000
CanAlsoBeWeakness BaseWeakness Base283Unverified Ownership
Research Concepts1000
CanAlsoBeWeakness BaseWeakness Base358Improperly Implemented Security Check for Standard
Research Concepts1000
CanAlsoBeWeakness BaseWeakness Base708Incorrect Ownership Assignment
Research Concepts1000
+ Relationship Notes

"origin validation" could fall under this.

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERInsufficient Verification of Data
OWASP Top Ten 2004A3CWE_More_SpecificBroken Authentication and Session Management
WASC12Content Spoofing
+ References
[REF-17] Michael Howard, David LeBlanc and John Viega. "24 Deadly Sins of Software Security". "Sin 15: Not Updating Easily." Page 231. McGraw-Hill. 2010.
+ Maintenance Notes

The specific ways in which the origin is not properly identified should be laid out as separate weaknesses. In some sense, this is more like a category.

+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Maintenance_Notes, Relationships, Relationship_Notes, Taxonomy_Mappings
2009-05-27CWE Content TeamMITREInternal
updated Related_Attack_Patterns
2009-07-27CWE Content TeamMITREInternal
updated Related_Attack_Patterns
2010-02-16CWE Content TeamMITREInternal
updated Taxonomy_Mappings
2010-04-05CWE Content TeamMITREInternal
updated Related_Attack_Patterns
2010-12-13CWE Content TeamMITREInternal
updated Related_Attack_Patterns
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2011-06-27CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated References, Related_Attack_Patterns, Relationships
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Insufficient Verification of Data
Back to top
Page Last Updated: February 20, 2013
 

CWE is co-sponsored by the office of Cybersecurity and Communications at the U.S. Department of Homeland Security.

This Web site is sponsored and managed by The MITRE Corporation to enable stakeholder collaboration. Copyright © 2006-2013, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.

Contact cwe@mitre.org for more information.
Privacy policy
Terms of use
Contact us