CWE
Home > CWE List > CWE- Individual Dictionary Definition (1.0)  
Search by ID:

CWE-494: Download of Untrusted Mobile Code Without Integrity Check

Individual Definition in a New Window
Download of Untrusted Mobile Code Without Integrity Check
Status: Draft
Weakness ID: 494 (Weakness Variant)
Description
Summary

The product downloads external source or binaries and executes it without sufficiently verifying the origin and integrity of the downloaded code.

Likelihood of Exploit

Medium

Potential Mitigations
Implementation

Avoid doing this without proper cryptographic safeguards.

Demonstrative Examples

Java Example:
URL[] classURLs= new URL[]{
new URL("file:subdir/")
};
URLClassLoader loader = new URLClassLoader(classURLs);
Class loadedClass = Class.forName("loadMe", true, loader);
Other Notes

This is an unsafe practice and should not be performed unless one can use some type of cryptographic protection to assure that the mobile code has not been altered.

Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory490Mobile Code Issues
Development Concepts (primary)699
ChildOfWeakness ClassWeakness ClassWeakness Class669Incorrect Resource Transfer Between Spheres
Research Concepts (primary)1000
PeerOfWeakness BaseWeakness BaseWeakness Base79Failure to Sanitize Directives in a Web Page (aka 'Cross-site scripting' (XSS))
Research Concepts1000
CanFollowWeakness BaseWeakness BaseWeakness Base79Failure to Sanitize Directives in a Web Page (aka 'Cross-site scripting' (XSS))
Research Concepts1000
Taxonomy Mappings
Mapped Taxonomy NameMapped Node Name
CLASPInvoking untrusted mobile code
Applicable Platforms
Languages
Java
Time of Introduction
* Architecture and Design
* Implementation
Content History
Submissions
CLASP. (Externally Mined)
Modifications
Eric Dalci. Cigital. 2008-07-01. (External)
updated Time_of_Introduction
CWE Content Team. MITRE. 2008-09-08. (Internal)
updated Relationships, Other_Notes, Taxonomy_Mappings
Previous Entry Names
* Mobile Code: Invoking Untrusted Mobile Code (changed 2008-04-11)
Page Last Updated: September 10, 2008