CWE-348: Use of Less Trusted Source
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack.
常见后果
影响范围: Access Control
技术影响: Bypass Protection Mechanism Gain Privileges or Assume Identity
说明: An attacker could utilize the untrusted data source to bypass protection mechanisms and gain access to sensitive data.
观察示例
参考: CVE-2001-0860
Product uses IP address provided by a client, instead of obtaining it from the packet headers, allowing easier spoofing.
参考: CVE-2004-1950
Web product uses the IP address in the X-Forwarded-For HTTP header instead of a server variable that uses the connecting IP address, allowing filter bypass.
参考: CVE-2001-0908
Product logs IP address specified by the client instead of obtaining it from the packet headers, allowing information hiding.
参考: CVE-2006-1126
PHP application uses IP address from X-Forwarded-For HTTP header, instead of REMOTE_ADDR.
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | - |
| Implementation | - |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| PLOVER | - | Use of Less Trusted Source | - |
关键信息
CWE ID: CWE-348
抽象级别: Base
结构: Simple
状态: Draft