CWE-435 Detail

CWE-435

Name

Improper Interaction Between Multiple Correctly-Behaving Entities

Status

Draft

Published

2006-07-19
00h00 +00:00

Modified

2024-02-29
00h00 +00:00

Official links

CWE Mitre.org

Notifications for a CWE

Stay informed of any changes for a specific CWE.

Notifications manage

List of Notifications

Notifications for a CWE

Stay informed of any changes for a specific CWE.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specify the CWE ID you wish to monitor.

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

Name: Improper Interaction Between Multiple Correctly-Behaving Entities

An interaction error occurs when two entities have correct behavior when running independently of each other, but when they are integrated as components in a larger system or process, they introduce incorrect behaviors that may cause resultant weaknesses.

CWE Description

When a system or process combines multiple independent components, this often produces new, emergent behaviors at the system level. However, if the interactions between these components are not fully accounted for, some of the emergent behaviors can be incorrect or even insecure.

General Informations

Modes Of Introduction

Architecture and Design
Implementation
Operation

Applicable Platforms

Language

Class: Not Language-Specific (Undetermined)

Technologies

Class: Not Technology-Specific (Undetermined)

Common Consequences

Scope	Impact	Likelihood
Integrity	Unexpected State, Varies by Context

Observed Examples

References	Description
CVE-2002-0485	Anti-virus product allows bypass via Content-Type and Content-Disposition headers that are mixed case, which are still processed by some clients.
CVE-2003-0411	chain: Code was ported from a case-sensitive Unix platform to a case-insensitive Windows platform where filetype handlers treat .jsp and .JSP as different extensions. JSP source code may be read because .JSP defaults to the filetype "text".

Vulnerability Mapping Notes

Justification : This CWE entry is extremely high-level, a Pillar. However, sometimes this weakness is forced to be used due to the lack of in-depth weakness research. See Research Gaps.
Comment : Where feasible, consider children or descendants of this entry instead.

NotesNotes

Weaknesses related to this Pillar appear to be under-studied, especially with respect to classification schemes. Input from academic and other communities could help identify and resolve gaps or organizational difficulties within CWE.

The "Interaction Error" term, in CWE and elsewhere, is only intended to describe products that behave according to specification. When one or more of the products do not comply with specifications, then it is more likely to be API Abuse (CWE-227) or an interpretation conflict (CWE-436). This distinction can be blurred in real world scenarios, especially when "de facto" standards do not comply with specifications, or when there are no standards but there is widespread adoption. As a result, it can be difficult to distinguish these weaknesses during mapping and classification.

References

REF-428

Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection
Thomas H. Ptacek, Timothy N. Newsham.
https://insecure.org/stf/secnet_ids/secnet_ids.pdf

REF-568

Use of A Taxonomy of Security Faults
Taimur Aslam, Ivan Krsul, Eugene H. Spafford.
https://csrc.nist.gov/csrc/media/publications/conference-paper/1996/10/22/proceedings-of-the-19th-nissc-1996/documents/paper057/paper.pdf

Submission

Name	Organization	Date	Date release	Version
PLOVER		2006-07-19 +00:00	2006-07-19 +00:00	Draft 3

Modifications

Name	Organization	Date	Comment
Eric Dalci	Cigital	2008-07-01 +00:00	updated Time_of_Introduction
CWE Content Team	MITRE	2008-09-08 +00:00	updated Relationships, Relationship_Notes, Taxonomy_Mappings
CWE Content Team	MITRE	2008-10-14 +00:00	updated Description, Relationships
CWE Content Team	MITRE	2008-11-24 +00:00	updated Relationships
CWE Content Team	MITRE	2011-06-01 +00:00	updated Common_Consequences
CWE Content Team	MITRE	2011-06-27 +00:00	updated Common_Consequences
CWE Content Team	MITRE	2012-05-11 +00:00	updated Relationships
CWE Content Team	MITRE	2014-07-30 +00:00	updated Relationships
CWE Content Team	MITRE	2015-12-07 +00:00	updated Relationships
CWE Content Team	MITRE	2017-01-19 +00:00	updated Relationships
CWE Content Team	MITRE	2017-11-08 +00:00	updated Applicable_Platforms, Name, Relationships
CWE Content Team	MITRE	2018-03-27 +00:00	updated Alternate_Terms, Description, Name, References, Relationships
CWE Content Team	MITRE	2019-06-20 +00:00	updated Relationships
CWE Content Team	MITRE	2020-02-24 +00:00	updated Applicable_Platforms, Type
CWE Content Team	MITRE	2023-04-27 +00:00	updated References, Relationships
CWE Content Team	MITRE	2023-06-29 +00:00	updated Mapping_Notes, Research_Gaps
CWE Content Team	MITRE	2023-10-26 +00:00	updated Observed_Examples
CWE Content Team	MITRE	2024-02-29 +00:00	updated Demonstrative_Examples, References