Use of Invariant Value in Dynamically Changing Context
Weakness ID: 344 (Weakness Base)Status: Draft
+ Description

Description Summary

The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.
+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms

Languages

All

+ Observed Examples
ReferenceDescription
CVE-2002-0980Component for web browser writes an error message to a known location, which can then be referenced by attackers to process HTML/script in a less restrictive context
+ Potential Mitigations

Increase the entropy used to seed a PRNG.

Phase: Implementation

Perform FIPS 140-2 tests on data to catch obvious entropy problems.

+ Other Notes

This is often a factor in attacks on web browsers, in which known or predictable filenames become necessary to exploit browser vulnerabilities.

+ Weakness Ordinalities
OrdinalityDescription
Primary
(where the weakness exists independent of other weaknesses)
Resultant
(where the weakness is typically related to the presence of some other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class330Use of Insufficiently Random Values
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base259Use of Hard-coded Password
Research Concepts1000
ParentOfWeakness BaseWeakness Base321Use of Hard-coded Cryptographic Key
Research Concepts1000
ParentOfWeakness BaseWeakness Base323Reusing a Nonce, Key Pair in SecurityDatabase\Encrypt\Encryption
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base587Assignment of a Fixed Address to a Pointer
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base798Use of Hard-coded Credentials
Research Concepts1000
+ Relationship Notes

overlaps default configuration.

+ Relevant Properties
  • Mutability
  • Uniqueness
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERStatic Value in Unpredictable Context
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Other Notes, Relationship Notes, Relevant Properties, Taxonomy Mappings, Weakness Ordinalities
2009-03-10CWE Content TeamMITREInternal
updated Potential Mitigations
2009-12-28CWE Content TeamMITREInternal
updated Potential Mitigations
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Static Value in Unpredictable Context
Back to top