Description
The wrong "handler" is assigned to process an object.
An example of deploying the wrong handler would be calling a servlet to reveal source code of a .JSP file, or automatically "determining" type of the object even if it is contradictory to an explicitly specified type.
Potential Impact
Integrity, Other
Varies by Context, Unexpected State
Mitigations & Prevention
Perform a type check before interpreting an object.
Reject any inconsistent types, such as a file with a .GIF extension that appears to consist of PHP code.
Real-World CVE Examples
| CVE ID | Description |
|---|---|
| CVE-2001-0004 | Source code disclosure via manipulated file extension that causes parsing by wrong DLL. |
| CVE-2002-0025 | Web browser does not properly handle the Content-Type header field, causing a different application to process the document. |
| CVE-2000-1052 | Source code disclosure by directly invoking a servlet. |
| CVE-2002-1742 | Arbitrary Perl functions can be loaded by calling a non-existent function that activates a handler. |
Related Weaknesses
Taxonomy Mappings
- PLOVER: — Improper Handler Deployment
Frequently Asked Questions
What is CWE-430?
CWE-430 (Deployment of Wrong Handler) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The wrong "handler" is assigned to process an object.
How can CWE-430 be exploited?
Attackers can exploit CWE-430 (Deployment of Wrong Handler) to varies by context, unexpected state. This weakness is typically introduced during the Implementation phase of software development.
How do I prevent CWE-430?
Key mitigations include: Perform a type check before interpreting an object.
What is the severity of CWE-430?
CWE-430 is classified as a Base-level weakness (Medium abstraction). It has been observed in 4 real-world CVEs.