CWE-684
Incorrect Provision of Specified Functionality
Draft
2008-04-11
00h00 +00:00
00h00 +00:00
2023-10-26
00h00 +00:00
00h00 +00:00
Notifications pour un CWE
Restez informé de toutes modifications pour un CWE spécifique.
Nom: Incorrect Provision of Specified Functionality
The code does not function according to its published specifications, potentially leading to incorrect usage.
Description du CWE
When providing functionality to an external party, it is important that the product behaves in accordance with the details specified. When requirements of nuances are not documented, the functionality may produce unintended behaviors for the caller, possibly leading to an exploitable state.
Informations générales
Modes d'introduction
ImplementationConséquences courantes
| Portée | Impact | Probabilité |
|---|---|---|
| Other | Quality Degradation |
Exemples observés
| Références | Description |
|---|---|
CVE-2002-1446 | Error checking routine in PKCS#11 library returns "OK" status even when invalid signature is detected, allowing spoofed messages. |
CVE-2001-1559 | Chain: System call returns wrong value (CWE-393), leading to a resultant NULL dereference (CWE-476). |
CVE-2003-0187 | Program uses large timeouts on unconfirmed connections resulting from inconsistency in linked lists implementations. |
CVE-1999-1446 | UI inconsistency; visited URLs list not cleared when "Clear History" option is selected. |
Mesures d’atténuation potentielles
Phases : ImplementationEnsure that your code strictly conforms to specifications.
Notes de cartographie des vulnérabilités
Justification : This CWE entry is a Class and might have Base-level children that would be more appropriateCommentaire : Examine children of this entry to see if there is a better fit
Soumission
| Nom | Organisation | Date | Date de publication | Version |
|---|---|---|---|---|
| CWE Content Team | MITRE | Draft 9 |
Modifications
| Nom | Organisation | Date | Commentaire |
|---|---|---|---|
| Eric Dalci | Cigital | updated Potential_Mitigations, Time_of_Introduction | |
| CWE Content Team | MITRE | updated Description, Relationships | |
| CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Potential_Mitigations | |
| CWE Content Team | MITRE | updated Description, Name | |
| CWE Content Team | MITRE | updated Common_Consequences | |
| CWE Content Team | MITRE | updated Common_Consequences | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships, Type | |
| CWE Content Team | MITRE | updated Weakness_Ordinalities | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Description | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Mapping_Notes | |
| CWE Content Team | MITRE | updated Demonstrative_Examples, Observed_Examples |
Les informations affichées sur CVE Find proviennent de plusieurs sources de référence rigoureusement sélectionnées. Les données CVE sont fournies par MITRE Corporation et la National Vulnerability Database (NVD). Le catalogue des vulnérabilités activement exploitées (KEV) provient de la Cybersecurity and Infrastructure Security Agency (CISA), tandis que les scores EPSS sont issus de FIRST.org. Enfin, les données relatives aux faiblesses logicielles (CWE) et aux schémas d'attaque courants (CAPEC)
sont maintenues par MITRE Corporation, et les informations sur les configurations
logicielles et matérielles (CPE) proviennent du NVD.