1. Home
  2. CWE Database
  3. CWE-183
Base · Medium

CWE-183: Permissive List of Allowed Inputs

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is...

CWE-183 · Base Level ·5 CVEs

Description

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.

Potential Impact

Access Control

Bypass Protection Mechanism

Detection Methods

  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE IDDescription
CVE-2019-12799chain: bypass of untrusted deserialization issue (CWE-502) by using an assumed-trusted class (CWE-183)
CVE-2019-10458sandbox bypass using a method that is on an allowlist
CVE-2017-1000095sandbox bypass using unsafe methods that are on an allowlist
CVE-2019-10458CI/CD pipeline feature has unsafe elements in allowlist, allowing bypass of script restrictions
CVE-2017-1000095Default allowlist includes unsafe methods, allowing bypass of sandbox

CWE-697: Incorrect Comparison

The product compares two entities in a security-relevant context, but the comparison is incorrect.

CWE-434: Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environmen...

Taxonomy Mappings

  • PLOVER: — Permissive Whitelist

Frequently Asked Questions

What is CWE-183?

CWE-183 (Permissive List of Allowed Inputs) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is...

How can CWE-183 be exploited?

Attackers can exploit CWE-183 (Permissive List of Allowed Inputs) to bypass protection mechanism. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-183?

Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.

What is the severity of CWE-183?

CWE-183 is classified as a Base-level weakness (Medium abstraction). It has been observed in 5 real-world CVEs.