Modification of Assumed-Immutable Data (MAID)ID: 471 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: DRAFT |
Abstraction Type: Base |
Description
The software does not properly protect an assumed-immutable
element from being modified by an attacker.
Applicable PlatformsLanguage Class: All
Time Of Introduction
Related Attack Patterns
Common Consequences
Scope | Technical Impact | Notes |
---|
Integrity | Modify application
data | |
Detection MethodsNone
Potential Mitigations
Phase | Strategy | Description | Effectiveness | Notes |
---|
Architecture and DesignOperationImplementation | | Implement proper protection for immutable data (e.g. environment
variable, hidden form fields, etc.) | | |
Relationships
Related CWE | Type | View | Chain |
---|
CWE-471 ChildOf CWE-896 | Category | CWE-888 | |
Demonstrative Examples (Details)
- In the code excerpt below, an array returned by a Java method is
modified despite the fact that arrays are mutable.
Observed Examples
- CVE-2002-1757 : Relies on $PHP_SELF variable for authentication.
- CVE-2005-1905 : Gain privileges by modifying assumed-immutable code addresses that are accessed by a driver.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
Taxynomy | Id | Name | Fit |
---|
PLOVER | | Modification of Assumed-Immutable Data | |
References:None