Category: Data Integrity Issues
Draft
Summary
Weaknesses in this category are related to a software system's data integrity components. Frequently these deal with the ability to ensure the integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-322 | Key Exchange without Entity Authentication | This vulnerability occurs when a system establishes a cryptographic key with another party without first confirming that party's true identity. |
| CWE-346 | Origin Validation Error | This vulnerability occurs when an application fails to properly confirm the true origin of incoming data or communication, allowing attackers to spoof their source. |
| CWE-347 | Improper Verification of Cryptographic Signature | This vulnerability occurs when an application fails to properly check the digital signature on data, or skips the verification step entirely, allowing tampered or forged information to be accepted as legitimate. |
| CWE-348 | Use of Less Trusted Source | This vulnerability occurs when a system has access to multiple sources for the same critical data, but it chooses to rely on the less secure or less trustworthy one. This creates a security gap because the system ignores better-protected alternatives that offer stronger verification or are harder for attackers to compromise. |
| CWE-349 | Acceptance of Extraneous Untrusted Data With Trusted Data | This vulnerability occurs when a system processes both trusted and untrusted data together, but fails to separate them. The application incorrectly treats all incoming data—including the untrusted portion—with the same level of trust as the legitimate data. |
| CWE-351 | Insufficient Type Distinction | This vulnerability occurs when an application fails to properly differentiate between different types of data or objects, leading to unintended and insecure behavior. |
| CWE-353 | Missing Support for Integrity Check | This vulnerability occurs when a system uses a communication protocol that lacks built-in integrity verification, such as a checksum or cryptographic hash, to detect if data has been altered or corrupted during transmission. |
| CWE-354 | Improper Validation of Integrity Check Value | This vulnerability occurs when software fails to properly check the integrity of data by validating its checksum or hash value. Without this verification, the application cannot reliably detect if information has been altered, corrupted, or tampered with during storage or transmission. |
| CWE-494 | Download of Code Without Integrity Check | This vulnerability occurs when an application fetches and runs code from an external source—like a remote server or CDN—without properly verifying where it came from or ensuring it hasn't been tampered with. |
| CWE-565 | Reliance on Cookies without Validation and Integrity Checking | This vulnerability occurs when an application uses cookies to make security decisions—like granting access or changing settings—but fails to verify that the cookie data is legitimate, unaltered, and belongs to the current user. |
| CWE-649 | Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking | This vulnerability occurs when an application uses obfuscation or encryption to hide security-sensitive data (like tokens or parameters) but fails to verify whether that data has been altered. Without integrity checks, the system cannot detect if an attacker has tampered with these inputs. |
| CWE-829 | Inclusion of Functionality from Untrusted Control Sphere | This weakness occurs when an application integrates executable code, like a library or plugin, from a source it does not fully control or trust. |
| CWE-924 | Improper Enforcement of Message Integrity During Transmission in a Communication Channel | This vulnerability occurs when an application receives data over a network but fails to properly verify that the information wasn't altered in transit. |
| CWE-699 | Software Development | This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.