CWE-344 Base Draft

Use of Invariant Value in Dynamically Changing Context

This vulnerability occurs when code uses a fixed, unchanging value (like a hardcoded string, number, or reference) in a situation where that value should actually be flexible and adapt to different…

Definition

What is CWE-344?

This vulnerability occurs when code uses a fixed, unchanging value (like a hardcoded string, number, or reference) in a situation where that value should actually be flexible and adapt to different runtime conditions or environments.
Developers often hardcode values like file paths, configuration settings, API endpoints, or cryptographic keys for simplicity during initial development. The problem arises when the application is deployed across different stages (like development, testing, and production) or for different users, as these invariant values fail to adjust. This forces the same static value to be used everywhere, which typically breaks functionality, exposes sensitive data, or creates security misconfigurations. To prevent this, you should externalize all environment-specific values into configuration files, environment variables, or secure secret management services. This practice, central to DevOps and secure CI/CD pipelines, ensures your application can dynamically pull the correct database credentials, service URLs, or feature flags for each specific deployment context without requiring code changes.
Auswirkungen in der Praxis

Real-world CVEs caused by CWE-344

  • CVE-2002-0980

    Component for web browser writes an error message to a known location, which can then be referenced by attackers to process HTML/script in a less restrictive context

Wie Angreifer es ausnutzen

Angreiferpfad Schritt für Schritt

  1. 1

    The following code is an example of an internal hard-coded password in the back-end:

  2. 2

    Every instance of this program can be placed into diagnostic mode with the same password. Even worse is the fact that if this program is distributed as a binary-only distribution, it is very difficult to change that password or disable this "functionality."

  3. 3

    This code assumes a particular function will always be found at a particular address. It assigns a pointer to that address and calls the function.

  4. 4

    The same function may not always be found at the same memory address. This could lead to a crash, or an attacker may alter the memory at the expected address, leading to arbitrary code execution.

Verwundbares Codebeispiel

Vulnerable C

The following code is an example of an internal hard-coded password in the back-end:

Verwundbar C 
int VerifyAdmin(char *password) {
  		if (strcmp(password, "Mew!")) {
  				 printf("Incorrect Password!\n");
  				return(0)
  		}
  		printf("Entering Diagnostic Mode...\n");
  		return(1);
  }
Sicheres Codebeispiel

Secure pseudo

Sicher pseudo 
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
  const safe = validateAndEscape(input);
  return executeWithGuards(safe);
}
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Präventions-Checkliste

How to prevent CWE-344

  • Architecture Use safe-by-default frameworks and APIs that prevent the unsafe pattern from being expressible.
  • Implementation Validate input at trust boundaries; use allowlists, not denylists.
  • Implementation Apply the principle of least privilege to credentials, file paths, and runtime permissions.
  • Testing Cover this weakness in CI: SAST rules + targeted unit tests for the data flow.
  • Operation Monitor logs for the runtime signals listed in the next section.
Erkennungssignale

How to detect CWE-344

SAST High

Führe statische Analyse (SAST) auf der Codebasis aus und suche im Datenfluss nach dem unsicheren Muster.

DAST Moderate

Führe dynamische Application-Security-Tests gegen den Live-Endpoint aus.

Runtime Moderate

Beobachte Runtime-Logs auf ungewöhnliche Exception-Traces, fehlerhafte Eingaben oder Versuche, Autorisierung zu umgehen.

Code review Moderate

Code Review: Markiere jeden neuen Code, der Eingaben von dieser Oberfläche ohne validierte Framework-Helper verarbeitet.

Plexicus Auto-Fix

Plexicus erkennt CWE-344 automatisch und öffnet in unter 60 Sekunden einen Fix-PR.

Codex Remedium scannt jeden Commit, identifiziert genau diese Schwachstelle und liefert einen reviewer-ready Pull Request mit dem Patch. Keine Tickets. Keine Hand-offs.

Demo anfordern Plexicus kostenlos testen
Häufig gestellte Fragen

Frequently asked questions

Was ist CWE-344?

This vulnerability occurs when code uses a fixed, unchanging value (like a hardcoded string, number, or reference) in a situation where that value should actually be flexible and adapt to different runtime conditions or environments.

Wie gravierend ist CWE-344?

MITRE hat für diese Schwachstelle keine Exploit-Wahrscheinlichkeit veröffentlicht. Behandle sie als mittlere Auswirkung, bis dein Threat Model anderes belegt.

Welche Sprachen oder Plattformen sind von CWE-344 betroffen?

MITRE hat für diese CWE keine betroffenen Plattformen spezifiziert — sie kann in den meisten Anwendungs-Stacks auftreten.

Wie kann ich CWE-344 verhindern?

Use safe-by-default frameworks, validate untrusted input at trust boundaries, and apply the principle of least privilege. Cover the data-flow signature in CI with SAST.

Wie erkennt und behebt Plexicus CWE-344?

Die SAST-Engine von Plexicus erkennt die Datenfluss-Signatur von CWE-344 bei jedem Commit. Bei einem Treffer öffnet unser Codex-Remedium-Agent einen Fix-PR mit korrigiertem Code, Tests und einer einzeiligen Zusammenfassung für den Reviewer.

Wo erfahre ich mehr über CWE-344?

MITRE veröffentlicht die kanonische Definition unter https://cwe.mitre.org/data/definitions/344.html. Für ergänzende Hinweise kannst du auch die OWASP- und NIST-Dokumentation heranziehen.

Verwandte Schwachstellen

Weaknesses related to CWE-344

CWE-330 Parent

Use of Insufficiently Random Values

This vulnerability occurs when an application uses random values that are not sufficiently unpredictable in security-sensitive operations,…

CWE-1204 Sibling

Generation of Weak Initialization Vector (IV)

This vulnerability occurs when software uses a weak or predictable Initialization Vector (IV) for cryptographic operations. Many…

CWE-1241 Sibling

Use of Predictable Algorithm in Random Number Generator

This vulnerability occurs when a device or application relies on a predictable algorithm to generate pseudo-random numbers, making the…

CWE-331 Sibling

Insufficient Entropy

This vulnerability occurs when a system's random number generator or algorithm lacks sufficient unpredictability, creating patterns or…

CWE-334 Sibling

Small Space of Random Values

This vulnerability occurs when a system uses a random number generator that produces too few possible values. Attackers can easily predict…

CWE-335 Sibling

Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

This vulnerability occurs when a Pseudo-Random Number Generator (PRNG) is used, but its initial seed value is not handled securely or…

CWE-338 Sibling

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

This vulnerability occurs when software uses a pseudo-random number generator (PRNG) that is not cryptographically strong for…

CWE-340 Sibling

Generation of Predictable Numbers or Identifiers

This vulnerability occurs when a system creates numbers or identifiers that are too easy to guess, undermining security mechanisms that…

CWE-323 Child

Reusing a Nonce, Key Pair in Encryption

This vulnerability occurs when a cryptographic nonce or key pair is reused, compromising the security of the encrypted data.

Ressourcen

Further reading

Bereit, wenn du es bist

Schluss mit dem Bezahlen pro Entwickler.
Schließ den Kreislauf.

Plexicus ist die KI-native ASPM, die scannt, filtert, fixt, pentestet und erklärt — autonom. Unbegrenzte Entwickler, unbegrenzte Repos, Fair-Use-KI-Aktionen. Echter kostenloser Tarif, €269/mo jährlich, wenn du bereit bist.

Kostenlos starten Demo buchen