VariantDraft

CWE-103Struts: Incomplete validate() Method Definition

Category: other

Description

The product has a validator form that either does not define a validate() method, or defines a validate() method but does not call super.validate().

Common consequences· 2

  • Other — Unexpected State, Varies by Context
    If the code does not call super.validate(), the Validation Framework cannot check the contents of the form against a validation form. In other words, the validation framework will be disabled for the given form. Disabling the validation framework for a form exposes the product to numerous types of attacks.
  • Confidentiality / Integrity / Availability / Other — Other
    Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack.

Potential mitigations· 1

  • [Implementation]Implement the validate() method and call super.validate() within that method.

References

  1. https://cwe.mitre.org/data/definitions/103.html

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Struts: Unused Validation Form
CWE
Struts: Unvalidated Action Form
CWE
Struts: Validator Without Form Field
CWE
Struts: Duplicate Validation Forms
CWE
Struts: Form Bean Does Not Extend Validation Class
CWE
Struts: Validator Turned Off
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.