CWE-345: Insufficient Verification of Data Authenticity

Description

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Submission Date :

July 19, 2006, midnight

Modification Date :

2023-06-29 00:00:00+00:00

Organization :

MITRE
Example Vulnerable Codes

Example - 1

In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications.

Multiple vendors did not sign firmware images.

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

CWE-20: Improper Input Validation
Go to
CWE-346: Origin Validation Error
Go to
CWE-347: Improper Verification of Cryptographic Signature
Go to
CWE-348: Use of Less Trusted Source
Go to
CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data
Go to
CWE-351: Insufficient Type Distinction
Go to
CWE-352: Cross-Site Request Forgery (CSRF)
Go to
CWE-353: Missing Support for Integrity Check
Go to
CWE-354: Improper Validation of Integrity Check Value
Go to
CWE-358: Improperly Implemented Security Check for Standard
Go to
CWE-360: Trust of System Event Data
Go to
CWE-494: Download of Code Without Integrity Check
Go to
CWE-616: Incomplete Identification of Uploaded File Variables (PHP)
Go to
CWE-646: Reliance on File Name or Extension of Externally-Supplied File
Go to
CWE-649: Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking
Go to
CWE-693: Protection Mechanism Failure
Go to
CWE-708: Incorrect Ownership Assignment
Go to
CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel
Go to
CWE-1293: Missing Source Correlation of Multiple Independent Data
Go to
CWE-1304: Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation
Go to

Visit http://cwe.mitre.org/ for more details.