CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data

Description

The product, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted.

Extended Description

N/A

ThreatScore

Threat Mapped score: 0.0

Industry: Finiancial

Threat priority: Unclassified

Observed Examples (CVEs)

CVE: CVE-2002-0018

Does not verify that trusted entity is authoritative for all entities in its response.
CVE: CVE-2006-5462

use of extra data in a signature allows certificate signature forging

Related Attack Patterns (CAPEC)

Attack TTPs

T1584.002 — DNS Server (resource-development)
T1557.002 — ARP Cache Poisoning (credential-access, collection)

APTs (Intrusion Sets)

Modes of Introduction

Phase	Note
Implementation	N/A

Common Consequences

Impact: Bypass Protection Mechanism, Modify Application Data — Notes: An attacker could package untrusted data with trusted data to bypass protection mechanisms to gain access to and possibly modify sensitive data.

Potential Mitigations

None listed.

Applicable Platforms

None (Not Language-Specific, Undetermined)

Demonstrative Examples

N/A

Notes

No notes available.

← Back to CWE list