CWE-471: Modification of Assumed-Immutable Data (MAID)

Description

The product does not properly protect an assumed-immutable element from being modified by an attacker.

Submission Date :

July 19, 2006, midnight

Modification Date :

2023-06-29 00:00:00+00:00

Organization :

MITRE
Extended Description

This occurs when a particular input is critical enough to the functioning of the application that it should not be modifiable at all, but it is. Certain resources are often assumed to be immutable when they are not, such as hidden form fields in web applications, cookies, and reverse DNS lookups.

Example Vulnerable Codes

Example - 1

In the code excerpt below, an array returned by a Java method is modified despite the fact that arrays are mutable.


String[] colors = car.getAllPossibleColors();colors[0] = "Red";

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

CWE-291: Reliance on IP Address for Authentication
Go to
CWE-425: Direct Request ('Forced Browsing')
Go to
CWE-472: External Control of Assumed-Immutable Web Parameter
Go to
CWE-473: PHP External Variable Modification
Go to
CWE-602: Client-Side Enforcement of Server-Side Security
Go to
CWE-607: Public Static Final Field References Mutable Object
Go to
CWE-621: Variable Extraction Error
Go to
CWE-664: Improper Control of a Resource Through its Lifetime
Go to
CWE-1282: Assumed-Immutable Data is Stored in Writable Memory
Go to
CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Go to

Visit http://cwe.mitre.org/ for more details.