CWE-360: Trust of System Event Data
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
Security based on event locations are insecure and can be spoofed.
扩展描述
Events are a messaging system which may provide control data to programs listening for events. Events often do not have any type of authentication framework to allow them to be verified from a trusted source. Any application, in Windows, on a given desktop can send a message to any window on the same desktop. There is no authentication framework for these messages. Therefore, any message can be used to manipulate any process on the desktop if the process does not check the validity and safeness of those messages.
常见后果
影响范围: Integrity Confidentiality Availability Access Control
技术影响: Gain Privileges or Assume Identity Execute Unauthorized Code or Commands
说明: If one trusts the system-event information and executes commands based on it, one could potentially take actions based on a spoofed identity.
潜在缓解措施
阶段: Architecture and Design
描述: Never trust or rely any of the information in an Event for security.
观察示例
参考: CVE-2004-0213
Attacker uses Shatter attack to bypass GUI-enforced protection for CVE-2003-0908.
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | - |
| Implementation | - |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| CLASP | - | Trust of system event data | - |
| Software Fault Patterns | SFP29 | Faulty endpoint authentication | - |