1. Home
  2. CWE Database
  3. CWE-683
Variant · Low-Medium

CWE-683: Function Call With Incorrect Order of Arguments

The product calls a function, procedure, or routine, but the caller specifies the arguments in an incorrect order, leading to resultant weaknesses.

CWE-683 · Variant Level ·1 CVEs ·1 Mitigations

Description

The product calls a function, procedure, or routine, but the caller specifies the arguments in an incorrect order, leading to resultant weaknesses.

While this weakness might be caught by the compiler in some languages, it can occur more frequently in cases in which the called function accepts variable numbers or types of arguments, such as format strings in C. It also can occur in languages or environments that do not enforce strong typing.

Potential Impact

Other

Quality Degradation

Demonstrative Examples

The following PHP method authenticates a user given a username/password combination but is called with the parameters in reverse order.
Bad
function authenticate($username, $password) {
                        
                           
                           // authenticate user
                           ...
                     }
                     authenticate($_POST['password'], $_POST['username']);

Mitigations & Prevention

Implementation

Use the function, procedure, or routine as specified.

Detection Methods

  • Automated Analysis — Because this function call often produces incorrect behavior, it will usually be detected during testing or normal operation of the product.
  • Automated Analysis — Exercising all possible control paths will typically expose this weakness, except in rare cases when the incorrect function call accidentally produces the correct results, or if the provided argument type is very similar to the expected argument type.

Real-World CVE Examples

CVE IDDescription
CVE-2006-7049Application calls functions with arguments in the wrong order, allowing attacker to bypass intended access restrictions.

CWE-628: Function Call with Incorrectly Specified Arguments

The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-i...

Frequently Asked Questions

What is CWE-683?

CWE-683 (Function Call With Incorrect Order of Arguments) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The product calls a function, procedure, or routine, but the caller specifies the arguments in an incorrect order, leading to resultant weaknesses.

How can CWE-683 be exploited?

Attackers can exploit CWE-683 (Function Call With Incorrect Order of Arguments) to quality degradation. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-683?

Key mitigations include: Use the function, procedure, or routine as specified.

What is the severity of CWE-683?

CWE-683 is classified as a Variant-level weakness (Low-Medium abstraction). It has been observed in 1 real-world CVEs.