Use of Invariant Value in Dynamically Changing Context| ID: 344 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: DRAFT |
| Abstraction Type: Base |
Description
The product uses a constant value, name, or reference, but this
value can (or should) vary across different environments.
Applicable PlatformsLanguage Class: All
Time Of Introduction
- Architecture and Design
- Implementation
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| Other | Varies by context | |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| | | Increase the entropy used to seed a PRNG. | | |
| Architecture and DesignRequirements | Libraries or Frameworks | Use products or modules that conform to FIPS 140-2 [R.344.1] to avoid
obvious entropy problems. Consult FIPS 140-2 Annex C ("Approved Random
Number Generators"). | | |
Relationshipsoverlaps default configuration.
| Related CWE | Type | View | Chain |
|---|
| CWE-344 ChildOf CWE-905 | Category | CWE-888 | |
Demonstrative ExamplesNone
Observed Examples
- CVE-2002-0980 : Component for web browser writes an error message to a known location, which can then be referenced by attackers to process HTML/script in a less restrictive context
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
| Taxynomy | Id | Name | Fit |
|---|
| PLOVER | | Static Value in Unpredictable Context | |
References:
- Information Technology Laboratory, National Institute of
Standards and Technology .SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC
MODULES. 2001-05-25.
