CWE-234: Failure to Handle Missing Parameter
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
If too few arguments are sent to a function, the function will still pop the expected number of arguments from the stack. Potentially, a variable number of arguments could be exhausted in a function as well.
常见后果
影响范围: Integrity Confidentiality Availability Access Control
技术影响: Execute Unauthorized Code or Commands Gain Privileges or Assume Identity
说明: There is the potential for arbitrary code execution with privileges of the vulnerable program if function parameter list is exhausted.
影响范围: Availability
技术影响: DoS: Crash, Exit, or Restart
说明: Potentially a program could fail if it needs more arguments then are available.
潜在缓解措施
阶段: Build and Compilation
描述: This issue can be simply combated with the use of proper build process.
阶段: Implementation
描述: Forward declare all functions. This is the recommended solution. Properly forward declaration of all used functions will result in a compiler error if too few arguments are sent to a function.
观察示例
参考: CVE-2004-0276
Server earlier allows remote attackers to cause a denial of service (crash) via an HTTP request with a sequence of "%" characters and a missing Host field.
参考: CVE-2002-1488
Chat client allows remote malicious IRC servers to cause a denial of service (crash) via a PART message with (1) a missing channel or (2) a channel that the user is not in.
参考: CVE-2002-1169
Proxy allows remote attackers to cause a denial of service (crash) via an HTTP request to helpout.exe with a missing HTTP version numbers.
参考: CVE-2000-0521
Web server allows disclosure of CGI source code via an HTTP request without the version number.
参考: CVE-2001-0590
Application server allows a remote attacker to read the source code to arbitrary 'jsp' files via a malformed URL request which does not end with an HTTP protocol specification.
参考: CVE-2003-0239
Chat software allows remote attackers to cause a denial of service via malformed GIF89a headers that do not contain a GCT (Global Color Table) or an LCT (Local Color Table) after an Image Descriptor.
参考: CVE-2002-1023
Server allows remote attackers to cause a denial of service (crash) via an HTTP GET request without a URI.
参考: CVE-2002-1236
CGI crashes when called without any arguments.
参考: CVE-2003-0422
CGI crashes when called without any arguments.
参考: CVE-2002-1531
Crash in HTTP request without a Content-Length field.
参考: CVE-2002-1077
Crash in HTTP request without a Content-Length field.
参考: CVE-2002-1358
Empty elements/strings in protocol test suite affect many SSH2 servers/clients.
参考: CVE-2003-0477
FTP server crashes in PORT command without an argument.
参考: CVE-2002-0107
Resultant infoleak in web server via GET requests without HTTP/1.0 version string.
参考: CVE-2002-0596
GET request with empty parameter leads to error message infoleak (path disclosure).
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| PLOVER | - | Missing Parameter Error | - |
| CLASP | - | Missing parameter | - |