CWE-105: Struts: Form Field Without Validator
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product has a form field that is not validated by a corresponding validation form, which can introduce other weaknesses related to insufficient input validation.
扩展描述
Omitting validation for even a single input field may give attackers the leeway they need to compromise the product. Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack.
常见后果
影响范围: Integrity
技术影响: Unexpected State
影响范围: Integrity
技术影响: Bypass Protection Mechanism
说明: If unused fields are not validated, shared business logic in an action may allow attackers to bypass the validation checks that are performed for other uses of the form.
潜在缓解措施
阶段: Implementation
描述: Validate all form fields. If a field is unused, it is still important to constrain it so that it is empty or undefined.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | Some products use the same ActionForm for more than one purpose. In situations like this, some fields may go unused under some action mappings. |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| 7 Pernicious Kingdoms | - | Struts: Form Field Without Validator | - |
| Software Fault Patterns | SFP24 | Tainted input to command | - |