Category: SFP Secondary Cluster: Incorrect Input Handling
Incomplete
Summary
This category identifies Software Fault Patterns (SFPs) within the Incorrect Input Handling cluster.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-198 | Use of Incorrect Byte Ordering | This vulnerability occurs when software processes data from another system without considering byte order (endianness), such as big-endian or little-endian. This mismatch can cause the program to misinterpret numbers or values, leading to incorrect calculations, crashes, or security flaws. |
| CWE-228 | Improper Handling of Syntactically Invalid Structure | This vulnerability occurs when software fails to properly reject or process input that doesn't follow the expected format or structure, often leading to crashes or unexpected behavior. |
| CWE-229 | Improper Handling of Values | This vulnerability occurs when software fails to correctly process situations where input contains too few values, too many values, or undefined values for expected parameters, fields, or arguments. |
| CWE-230 | Improper Handling of Missing Values | This vulnerability occurs when software fails to properly check for or handle missing data values. It happens when a parameter, field, or argument name is provided, but its corresponding value is empty, blank, or null, and the system doesn't manage this absence safely. |
| CWE-231 | Improper Handling of Extra Values | This vulnerability occurs when software receives more input values than it was designed to handle, and fails to properly manage or reject the excess data. |
| CWE-232 | Improper Handling of Undefined Values | This vulnerability occurs when software fails to properly check for or handle undefined, null, or unsupported values passed to parameters, configuration fields, or function arguments. Instead of rejecting or safely converting these values, the system proceeds with an unexpected state, often leading to crashes or security flaws. |
| CWE-233 | Improper Handling of Parameters | This vulnerability occurs when software fails to correctly process input that contains an unexpected number of parameters, missing fields, or undefined arguments. It often leads to crashes, unexpected behavior, or security bypasses. |
| CWE-234 | Failure to Handle Missing Parameter | This vulnerability occurs when a function or method receives fewer arguments than it expects. The function will still attempt to process its expected number of parameters, which can lead to reading undefined, stale, or arbitrary values from the program's memory or stack, causing crashes or unexpected behavior. |
| CWE-235 | Improper Handling of Extra Parameters | This vulnerability occurs when a system fails to properly manage situations where it receives more parameters, fields, or arguments with the same name than it was designed to handle. |
| CWE-236 | Improper Handling of Undefined Parameters | This vulnerability occurs when software fails to properly manage input parameters, field names, or arguments that it doesn't recognize or support. Instead of rejecting or safely ignoring the undefined input, the system may behave unpredictably, leading to errors or security issues. |
| CWE-237 | Improper Handling of Structural Elements | This vulnerability occurs when an application fails to properly validate, sanitize, or interpret the complex internal parts of structured data, such as file headers, network packet fields, or document metadata. |
| CWE-238 | Improper Handling of Incomplete Structural Elements | This vulnerability occurs when software fails to properly process or validate data structures that are missing required components or are only partially formed. |
| CWE-239 | Failure to Handle Incomplete Element | This vulnerability occurs when a system fails to properly manage or validate data elements that are missing required parts or are only partially defined. |
| CWE-240 | Improper Handling of Inconsistent Structural Elements | This vulnerability occurs when a system fails to properly manage situations where related data structures or elements should match but are inconsistent. |
| CWE-241 | Improper Handling of Unexpected Data Type | This vulnerability occurs when software fails to properly validate or safely process data that arrives in an unexpected format. For example, the system might expect a numeric input but receives text instead, leading to crashes, errors, or security issues. |
| CWE-351 | Insufficient Type Distinction | This vulnerability occurs when an application fails to properly differentiate between different types of data or objects, leading to unintended and insecure behavior. |
| CWE-354 | Improper Validation of Integrity Check Value | This vulnerability occurs when software fails to properly check the integrity of data by validating its checksum or hash value. Without this verification, the application cannot reliably detect if information has been altered, corrupted, or tampered with during storage or transmission. |
| CWE-888 | Software Fault Pattern (SFP) Clusters | CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs). |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.