Description
The product does not properly determine which state it is in, causing it to assume it is in state X when in fact it is in state Y, causing it to perform incorrect operations in a security-relevant manner.
Potential Impact
Integrity, Other
Varies by Context, Unexpected State
Related Weaknesses
Taxonomy Mappings
- PLOVER: — Incomplete Internal State Distinction
Frequently Asked Questions
What is CWE-372?
CWE-372 (Incomplete Internal State Distinction) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product does not properly determine which state it is in, causing it to assume it is in state X when in fact it is in state Y, causing it to perform incorrect operations in a security-relevant man...
How can CWE-372 be exploited?
Attackers can exploit CWE-372 (Incomplete Internal State Distinction) to varies by context, unexpected state. This weakness is typically introduced during the Implementation phase of software development.
How do I prevent CWE-372?
Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.
What is the severity of CWE-372?
CWE-372 is classified as a Base-level weakness (Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.