1. Home
  2. CWE Database
  3. CWE-344
Base · Medium

CWE-344: Use of Invariant Value in Dynamically Changing Context

The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.

CWE-344 · Base Level ·1 CVEs

Description

The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.

Potential Impact

Other

Varies by Context

Demonstrative Examples

The following code is an example of an internal hard-coded password in the back-end:
Bad
int VerifyAdmin(char *password) {
                        if (strcmp(password, "Mew!")) {
                              
                                 printf("Incorrect Password!\n");return(0)
                           }printf("Entering Diagnostic Mode...\n");return(1);
                     }
Bad
int VerifyAdmin(String password) {if (!password.equals("Mew!")) {return(0)}//Diagnostic Modereturn(1);}
Every instance of this program can be placed into diagnostic mode with the same password. Even worse is the fact that if this program is distributed as a binary-only distribution, it is very difficult to change that password or disable this "functionality."
This code assumes a particular function will always be found at a particular address. It assigns a pointer to that address and calls the function.
Bad
int (*pt2Function) (float, char, char)=0x08040000;int result2 = (*pt2Function) (12, 'a', 'b');
                     // Here we can inject code to execute.
The same function may not always be found at the same memory address. This could lead to a crash, or an attacker may alter the memory at the expected address, leading to arbitrary code execution.

Real-World CVE Examples

CVE IDDescription
CVE-2002-0980Component for web browser writes an error message to a known location, which can then be referenced by attackers to process HTML/script in a less restrictive context

CWE-330: Use of Insufficiently Random Values

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

Taxonomy Mappings

  • PLOVER: — Static Value in Unpredictable Context

Frequently Asked Questions

What is CWE-344?

CWE-344 (Use of Invariant Value in Dynamically Changing Context) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.

How can CWE-344 be exploited?

Attackers can exploit CWE-344 (Use of Invariant Value in Dynamically Changing Context) to varies by context. This weakness is typically introduced during the Architecture and Design, Implementation phase of software development.

How do I prevent CWE-344?

Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.

What is the severity of CWE-344?

CWE-344 is classified as a Base-level weakness (Medium abstraction). It has been observed in 1 real-world CVEs.