Description
The product does not sufficiently protect all possible paths that a user can take to access restricted functionality or resources.
Potential Impact
Access Control
Bypass Protection Mechanism, Gain Privileges or Assume Identity
Mitigations & Prevention
Deploy different layers of protection to implement security in depth.
Real-World CVE Examples
| CVE ID | Description |
|---|---|
| CVE-2022-29238 | Access-control setting in web-based document collaboration tool is not properly implemented by the code, which prevents listing hidden directories but does not prevent direct requests to files in thos |
Related Weaknesses
Taxonomy Mappings
- PLOVER: — Alternate Path Errors
- Software Fault Patterns: SFP35 — Insecure resource access
Frequently Asked Questions
What is CWE-424?
CWE-424 (Improper Protection of Alternate Path) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Class-level weakness. The product does not sufficiently protect all possible paths that a user can take to access restricted functionality or resources.
How can CWE-424 be exploited?
Attackers can exploit CWE-424 (Improper Protection of Alternate Path) to bypass protection mechanism, gain privileges or assume identity. This weakness is typically introduced during the Architecture and Design phase of software development.
How do I prevent CWE-424?
Key mitigations include: Deploy different layers of protection to implement security in depth.
What is the severity of CWE-424?
CWE-424 is classified as a Class-level weakness (High abstraction). It has been observed in 1 real-world CVEs.