CWE-183: Permissive List of Allowed Inputs

Description

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.

Extended Description

N/A

ThreatScore

Threat Mapped score: 0.0

Industry: Finiancial

Threat priority: Unclassified

Observed Examples (CVEs)

CVE: CVE-2019-12799

chain: bypass of untrusted deserialization issue (CWE-502) by using an assumed-trusted class (CWE-183)
CVE: CVE-2019-10458

sandbox bypass using a method that is on an allowlist
CVE: CVE-2017-1000095

sandbox bypass using unsafe methods that are on an allowlist
CVE: CVE-2019-10458

CI/CD pipeline feature has unsafe elements in allowlist, allowing bypass of script restrictions
CVE: CVE-2017-1000095

Default allowlist includes unsafe methods, allowing bypass of sandbox

Related Attack Patterns (CAPEC)

Attack TTPs

N/A

Modes of Introduction

Phase	Note
Implementation	N/A

Common Consequences

Impact: Bypass Protection Mechanism — Notes:

Potential Mitigations

None listed.

Applicable Platforms

None (Not Language-Specific, Undetermined)

Demonstrative Examples

N/A

Notes

No notes available.

← Back to CWE list