CWE-1293: Missing Source Correlation of Multiple Independent Data
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product relies on one source of data, preventing the ability to detect if an adversary has compromised a data source.
常见后果
影响范围: Confidentiality Integrity
技术影响: Read Application Data Modify Application Data Gain Privileges or Assume Identity
说明: An attacker that may be able to execute a single Person-in-the-Middle attack can subvert a check of an external oracle (e.g. the ACME protocol check for a file on a website), and thus inject an arbitrary reply to the single perspective request to the external oracle.
潜在缓解措施
阶段: Requirements
描述: Design system to use a Practical Byzantine fault method, to request information from multiple sources to verify the data and report on potentially compromised information sources.
阶段: Implementation
描述: Failure to use a Practical Byzantine fault method when requesting data. Lack of place to report potentially compromised information sources. Relying on non-independent information sources for integrity checking. Failure to report information sources that respond in the minority to incident response procedures.
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | This flaw could be introduced during the design of the application or misconfiguration at run time by only specifying a single point of validation. |
| Implementation | Such issues could be introduced during hardware implementation, then identified later during Testing or System Configuration phases. |
| Operation | This weakness could be introduced by intentionally failing all but one of the devices used to retrieve the data or by failing the devices that validate the data. |