CWE-182
Collapse of Data into Unsafe Value
Draft
2006-07-19
00h00 +00:00
00h00 +00:00
2023-06-29
00h00 +00:00
00h00 +00:00
Notifications for a CWE
Stay informed of any changes for a specific CWE.
Name: Collapse of Data into Unsafe Value
The product filters data in a way that causes it to be reduced or "collapsed" into an unsafe value that violates an expected security property.
General Informations
Modes Of Introduction
ImplementationApplicable Platforms
Language
Class: Not Language-Specific (Undetermined)Common Consequences
| Scope | Impact | Likelihood |
|---|---|---|
| Access Control | Bypass Protection Mechanism |
Observed Examples
| References | Description |
|---|---|
CVE-2004-0815 | "/.////" in pathname collapses to absolute path. |
CVE-2005-3123 | "/.//..//////././" is collapsed into "/.././" after ".." and "//" sequences are removed. |
CVE-2002-0325 | ".../...//" collapsed to "..." due to removal of "./" in web server. |
CVE-2002-0784 | chain: HTTP server protects against ".." but allows "." variants such as "////./../.../". If the server removes "/.." sequences, the result would collapse into an unsafe value "////../" (CWE-182). |
CVE-2005-2169 | MFV. Regular expression intended to protect against directory traversal reduces ".../...//" to "../". |
CVE-2001-1157 | XSS protection mechanism strips a |