CWE-694: Use of Multiple Resources with Duplicate Identifier

Description

The product uses multiple resources that can have the same identifier, in a context in which unique identifiers are required.

Extended Description

If the product assumes that each resource has a unique identifier, the product could operate on the wrong resource if attackers can cause multiple resources to be associated with the same identifier.

ThreatScore

Threat Mapped score: 1.8

Industry: Finiancial

Threat priority: P4 - Informational (Low)

Observed Examples (CVEs)

CVE: CVE-2013-4787

chain: mobile OS verifies cryptographic signature of file in an archive, but then installs a different file with the same name that is also listed in the archive.

Related Attack Patterns (CAPEC)

N/A

Attack TTPs

N/A

Modes of Introduction

Phase	Note
Architecture and Design	N/A
Implementation	N/A

Common Consequences

Impact: Bypass Protection Mechanism — Notes: If unique identifiers are assumed when protecting sensitive resources, then duplicate identifiers might allow attackers to bypass the protection.
Impact: Quality Degradation — Notes:

Potential Mitigations

Architecture and Design: Where possible, use unique identifiers. If non-unique identifiers are detected, then do not operate any resource with a non-unique identifier and report the error appropriately. (N/A)

Applicable Platforms

None (Not Language-Specific, Undetermined)

Demonstrative Examples

Intro: These two Struts validation forms have the same name.

Body: It is not certain which form will be used by Struts. It is critically important that validation logic be maintained and kept in sync with the rest of the product.

<form-validation> <formset> <form name="ProjectForm"> ... </form> <form name="ProjectForm"> ... </form> </formset> </form-validation>

Notes

Relationship: This weakness is probably closely associated with other issues related to doubling, such as CWE-675 (Duplicate Operations on Resource). It's often a case of an API contract violation (CWE-227).

← Back to CWE list