BaseDraft

CWE-241Improper Handling of Unexpected Data Type

Category: other

Description

The product does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a letter (A-Z).

Common consequences· 1

  • Integrity / Other — Varies by Context, Unexpected State

Potential mitigations· 2

  • [Implementation]
  • [Implementation]Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

Related CAPEC attack patterns· 1

CAPEC-48

References

  1. https://cwe.mitre.org/data/definitions/241.html

Exploits (incoming)1

TypeTargetConfidenceTier
AttackPatternPassing Local Filenames to Functions That Expect a URLcapec-48100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Improper Validation of Specified Type of Input
CWE
Improper Validation of Syntactic Correctness of Input
CWE
Improper Input Validation
CWE
Improper Handling of Syntactically Invalid Structure
CWE
Improper Handling of Extra Values
CWE
Improper Validation of Consistency within Input
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.