BaseIncomplete

CWE-1427Improper Neutralization of Input Used for LLM Prompting

Category: other

Description

The product uses externally-provided data to build prompts provided to large language models (LLMs), but the way these prompts are constructed causes the LLM to fail to distinguish between user-supplied inputs and developer provided system directives.

Common consequences· 4

  • Confidentiality / Integrity / Availability — Execute Unauthorized Code or Commands, Varies by Context
  • Confidentiality — Read Application Data
  • Integrity — Modify Application Data, Execute Unauthorized Code or Commands
  • Access Control — Read Application Data, Modify Application Data, Gain Privileges or Assume Identity

Potential mitigations· 5

  • [Architecture and Design]
  • [Implementation]
  • [Architecture and Design]
  • [Implementation]
  • [Installation, Operation]

References

  1. https://cwe.mitre.org/data/definitions/1427.html

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Improper Validation of Generative AI Output
CWE
Insecure Setting of Generative AI/ML Model Inference Parameters
CWE
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE
Inadequate Detection or Handling of Adversarial Input Perturbations in Automated Recognition Mechanism
CWE
Misinterpretation of Input
CWE
Improper Handling of Parameters
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.