Incomplete Internal State Distinction
Weakness ID: 372 (Weakness Base)Status: Draft
+ Description

Description Summary

The software does not properly determine which state it is in, causing it to assume it is in state X when in fact it is in state Y, causing it to perform incorrect operations in a security-relevant manner.
+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms



+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory371State Issues
Development Concepts (primary)699
ChildOfWeakness ClassWeakness Class697Insufficient Comparison
Research Concepts (primary)1000
+ Relationship Notes

This conceptually overlaps other categories such as insufficient verification, but this entry refers to the product's incorrect perception of its own state.

This is probably resultant from other weaknesses such as unhandled error conditions, inability to handle out-of-order steps, multiple interpretation errors, etc.

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERIncomplete Internal State Distinction
+ Related Attack Patterns
CAPEC-IDAttack Pattern Name
(CAPEC Version: 1.4)
56Removing/short-circuiting 'guard logic'
74Manipulating User State
+ Maintenance Notes

The classification under CWE-697 is imprecise. Since this entry does not cover specific causes for the failure to identify proper state, it needs deepere investigation. It is probably more like a category.

+ Content History
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Maintenance Notes, Relationships, Relationship Notes, Taxonomy Mappings