CWE-393 返回错误的状态编码
Return of Wrong Status Code
结构: Simple
Abstraction: Base
状态: Draft
被利用可能性: unkown
基本描述
A function or operation returns an incorrect return value or status code that does not indicate an error, but causes the product to modify its behavior based on the incorrect result.
扩展描述
This can lead to unpredictable behavior. If the function is used to make security-critical decisions or provide security-critical information, then the wrong status code can cause the software to assume that an action is safe, even when it is not.
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 684 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 703 cwe_View_ID: 1000
适用平台
Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| ['Integrity', 'Other'] | ['Unexpected State', 'Alter Execution Logic'] | This weakness could place the system in a state that could lead unexpected logic to be executed or other unintended behaviors. |
示例代码
例
In the following example, an HTTP 404 status code is returned in the event of an IOException encountered in a Java servlet. A 404 code is typically meant to indicate a non-existent resource and would be somewhat misleading in this case.
bad Java
// something that might throw IOException
...
分析过的案例
| 标识 | 说明 | 链接 |
|---|---|---|
| CVE-2003-1132 | DNS server returns wrong response code for non-existent AAAA record, which effectively says that the domain is inaccessible. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1132 |
| CVE-2001-1509 | Hardware-specific implementation of system call causes incorrect results from geteuid. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1509 |
| CVE-2001-1559 | System call returns wrong value, leading to a resultant NULL dereference. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1559 |
| CVE-2014-1266 | chain: incorrect "goto" in Apple SSL product bypasses certificate validation, allowing man-in-the-middle attack (Apple "goto fail" bug). CWE-705 (Incorrect Control Flow Scoping) -> CWE-561 (Dead Code) -> CWE-295 (Improper Certificate Validation) -> CWE-393 (Return of Wrong Status Code) -> CWE-300 (Channel Accessible by Non-Endpoint ('Man-in-the-Middle')). | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1266 |
Notes
Relationship This can be primary or resultant, but it is probably most often primary to other issues. Maintenance This probably overlaps various categories, especially those related to error handling.
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| PLOVER | Wrong Status Code | ||
| Software Fault Patterns | SFP6 | Incorrect Exception Behavior |