1. Home
  2. CWE Database
  3. CWE-654
Base · Medium

CWE-654: Reliance on a Single Factor in a Security Decision

A protection mechanism relies exclusively, or to a large extent, on the evaluation of a single condition or the integrity of a single object or entity in order to make a decision about granting access...

CWE-654 · Base Level ·1 CVEs ·2 Mitigations

Description

A protection mechanism relies exclusively, or to a large extent, on the evaluation of a single condition or the integrity of a single object or entity in order to make a decision about granting access to restricted resources or functionality.

Potential Impact

Access Control

Gain Privileges or Assume Identity

Non-Repudiation

Hide Activities

Mitigations & Prevention

Architecture and Design

Use multiple simultaneous checks before granting access to critical operations or granting critical privileges. A weaker but helpful mitigation is to use several successive checks (multiple layers of security).

Architecture and Design

Use redundant access rules on different choke points (e.g., firewalls).

Real-World CVE Examples

CVE IDDescription
CVE-2022-35248Chat application skips validation when Central Authentication Service (CAS) is enabled, effectively removing the second factor from two-factor authentication

CWE-657: Violation of Secure Design Principles

The product violates well-established principles for secure design.

CWE-693: Protection Mechanism Failure

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed at...

Taxonomy Mappings

  • ISA/IEC 62443: Part 4-1 — Req SD-3
  • ISA/IEC 62443: Part 4-1 — Req SD-4
  • ISA/IEC 62443: Part 4-1 — Req SI-1

Frequently Asked Questions

What is CWE-654?

CWE-654 (Reliance on a Single Factor in a Security Decision) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. A protection mechanism relies exclusively, or to a large extent, on the evaluation of a single condition or the integrity of a single object or entity in order to make a decision about granting access...

How can CWE-654 be exploited?

Attackers can exploit CWE-654 (Reliance on a Single Factor in a Security Decision) to gain privileges or assume identity. This weakness is typically introduced during the Architecture and Design, Implementation, Operation phase of software development.

How do I prevent CWE-654?

Key mitigations include: Use multiple simultaneous checks before granting access to critical operations or granting critical privileges. A weaker but helpful mitigation is to use several successive checks (multiple layers of

What is the severity of CWE-654?

CWE-654 is classified as a Base-level weakness (Medium abstraction). It has been observed in 1 real-world CVEs.