CWE-471: Modification of Assumed-Immutable Data (MAID)
Description
The product does not properly protect an assumed-immutable element from being modified by an attacker.
Submission Date :
July 19, 2006, midnight
Modification Date :
2023-06-29 00:00:00+00:00
Organization :
MITRE
Extended Description
This occurs when a particular input is critical enough to the functioning of the application that it should not be modifiable at all, but it is. Certain resources are often assumed to be immutable when they are not, such as hidden form fields in web applications, cookies, and reverse DNS lookups.
Example - 1
In the code excerpt below, an array returned by a Java method is modified despite the fact that arrays are mutable.
String[] colors = car.getAllPossibleColors();colors[0] = "Red";
Related Weaknesses
This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.
CWE-291: Reliance on IP Address for Authentication
CWE-425: Direct Request ('Forced Browsing')
CWE-472: External Control of Assumed-Immutable Web Parameter
CWE-473: PHP External Variable Modification
CWE-602: Client-Side Enforcement of Server-Side Security
CWE-607: Public Static Final Field References Mutable Object
CWE-621: Variable Extraction Error
CWE-664: Improper Control of a Resource Through its Lifetime
CWE-1282: Assumed-Immutable Data is Stored in Writable Memory
CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Visit http://cwe.mitre.org/ for more details.