Description
The product, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted.
Potential Impact
Access Control, Integrity
Bypass Protection Mechanism, Modify Application Data
Real-World CVE Examples
| CVE ID | Description |
|---|---|
| CVE-2002-0018 | Does not verify that trusted entity is authoritative for all entities in its response. |
| CVE-2006-5462 | use of extra data in a signature allows certificate signature forging |
Related Weaknesses
Taxonomy Mappings
- PLOVER: — Untrusted Data Appended with Trusted Data
- The CERT Oracle Secure Coding Standard for Java (2011): ENV01-J — Place all security-sensitive code in a single JAR and sign and seal it
Frequently Asked Questions
What is CWE-349?
CWE-349 (Acceptance of Extraneous Untrusted Data With Trusted Data) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted.
How can CWE-349 be exploited?
Attackers can exploit CWE-349 (Acceptance of Extraneous Untrusted Data With Trusted Data) to bypass protection mechanism, modify application data. This weakness is typically introduced during the Implementation phase of software development.
How do I prevent CWE-349?
Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.
What is the severity of CWE-349?
CWE-349 is classified as a Base-level weakness (Medium abstraction). It has been observed in 2 real-world CVEs.