What is the authoritative source for CWE-478?

Missing Default Case in Multiple Condition Expression (CWE-478) is catalogued in MITRE CWE and curated for EU compliance use cases by SQUR.

BaseDraft

CWE-478Missing Default Case in Multiple Condition Expression

Category: config

Description

The code does not have a default case in an expression with multiple conditions, such as a switch statement. If a multiple-condition expression (such as a switch in C) omits the default case but does not consider or handle all possible values that could occur, then this might lead to complex logical errors and resultant weaknesses. Because of this, further decisions are made based on poor information, and cascading failure results. This cascading failure may result in any number of security issues, and constitutes a significant failure in the system.

Common consequences· 1

Integrity — Varies by Context, Alter Execution Logic
Depending on the logical circumstances involved, any consequences may result: e.g., issues of confidentiality, authentication, authorization, availability, integrity, accountability, or non-repudiation.

Potential mitigations· 1

[Implementation]Ensure that there are no cases unaccounted for when adjusting program flow or values based on the value of a given variable. In the case of switch style statements, the very simple act of creating a default case can, if done correctly, mitigate this situation. Often however, the default case is used simply to represent an assumed option, as opposed to working as a check for invalid input. This is poor practice and in some cases is as bad as omitting a default case entirely.