CWE-688: Function Call With Incorrect Variable or Reference as Argument

Description

The product calls a function, procedure, or routine, but the caller specifies the wrong variable or reference as one of the arguments, which may lead to undefined behavior and resultant weaknesses.

Submission Date :

April 11, 2008, midnight

Modification Date :

2023-06-29 00:00:00+00:00

Organization :

MITRE

Example Vulnerable Codes

Example - 1

In the following Java snippet, the accessGranted() method is accidentally called with the static ADMIN_ROLES array rather than the user roles.



String[] userRoles = getUserRoles(user);return accessGranted(resource, ADMIN_ROLES);

// // grant or deny access based on user roles// 
...private static final String[] ADMIN_ROLES = ...;public boolean void accessGranted(String resource, String user) {}private boolean void accessGranted(String resource, String[] userRoles) {}

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

CWE-628: Function Call with Incorrectly Specified Arguments

Go to

Visit http://cwe.mitre.org/ for more details.