logo

Insufficient Type Distinction

Draft Base
Structure: Simple
Description

This vulnerability occurs when an application fails to properly differentiate between different types of data or objects, leading to unintended and insecure behavior.

Extended Description

Insufficient type distinction happens when a system treats different kinds of data as if they are the same. For example, it might confuse a user-controlled string with a system command, or a regular data object with a privileged administrative token. This lack of clear separation creates a 'confused deputy' scenario, where the system can be tricked into performing actions it shouldn't, simply because it can't tell the difference between safe and unsafe input. For developers, the core issue is often in design logic that relies on implicit assumptions rather than explicit type checking or validation. To prevent this, you must enforce strict boundaries between data types, user privilege levels, and system resources. Implement explicit validation, use strong typing where possible, and design authorization checks that verify not just *if* an action is allowed, but also *what type* of entity is requesting it.
Common Consequences 1
Scope: Other

Impact: Other
Observed Examples 2
CVE-2005-2260Browser user interface does not distinguish between user-initiated and synthetic events.
CVE-2005-2801Product does not compare all required data in two separate elements, causing it to think they are the same, leading to loss of ACLs. Similar to Same Name error.
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Implementation
Related Weaknesses
ChildOf: Insufficient Verification of Data Authenticity (CWE-345)
PeerOf: Interpretation Conflict (CWE-436)
Taxonomy Mapping
  • PLOVER
Notes
RelationshipOverlaps others, e.g. Multiple Interpretation Errors.