1. Home
  2. CWE Database
  3. CWE-483
Base · Medium

CWE-483: Incorrect Block Delimitation

The code does not explicitly delimit a block that is intended to contain 2 or more statements, creating a logic error.

CWE-483 · Base Level ·1 CVEs ·1 Mitigations

Description

The code does not explicitly delimit a block that is intended to contain 2 or more statements, creating a logic error.

In some languages, braces (or other delimiters) are optional for blocks. When the delimiter is omitted, it is possible to insert a logic error in which a statement is thought to be in a block but is not. In some cases, the logic error can have security implications.

Potential Impact

Confidentiality, Integrity, Availability

Alter Execution Logic

Demonstrative Examples

In this example, the programmer has indented the statements to call Do_X() and Do_Y(), as if the intention is that these functions are only called when the condition is true. However, because there are no braces to signify the block, Do_Y() will always be executed, even if the condition is false.
Bad
if (condition==true)Do_X();Do_Y();
This might not be what the programmer intended. When the condition is critical for security, such as in making a security decision or detecting a critical error, this may produce a vulnerability.
In this example, the programmer has indented the Do_Y() statement as if the intention is that the function should be associated with the preceding conditional and should only be called when the condition is true. However, because Do_X() was called on the same line as the conditional and there are no braces to signify the block, Do_Y() will always be executed, even if the condition is false.
Bad
if (condition==true) Do_X();Do_Y();
This might not be what the programmer intended. When the condition is critical for security, such as in making a security decision or detecting a critical error, this may produce a vulnerability.

Mitigations & Prevention

Implementation

Always use explicit block delimitation and use static-analysis technologies to enforce this practice.

Detection Methods

  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE IDDescription
CVE-2014-1266Chain: incorrect "goto" in Apple SSL product bypasses certificate validation, allowing Adversary-in-the-Middle (AITM) attack (Apple "goto fail" bug). CWE-705 (Incorrect Control Flow Scoping) -> CWE-56

CWE-670: Always-Incorrect Control Flow Implementation

The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leadin...

Taxonomy Mappings

  • CLASP: — Incorrect block delimitation

Frequently Asked Questions

What is CWE-483?

CWE-483 (Incorrect Block Delimitation) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The code does not explicitly delimit a block that is intended to contain 2 or more statements, creating a logic error.

How can CWE-483 be exploited?

Attackers can exploit CWE-483 (Incorrect Block Delimitation) to alter execution logic. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-483?

Key mitigations include: Always use explicit block delimitation and use static-analysis technologies to enforce this practice.

What is the severity of CWE-483?

CWE-483 is classified as a Base-level weakness (Medium abstraction). It has been observed in 1 real-world CVEs.