CWE-20 - Improper Input Validation
- 摘要:Class
- 结构:Simple
- 状态:Stable
- 发布日期:2006-07-19
- 更新日期:2026-04-30
名称
Improper Input Validation
描述
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Input validation is a frequently-used technique for checking potentially dangerous inputs in order to ensure that the inputs are safe for processing within the code, or when communicating with other components. Input can consist of: Data can be simple or structured. Structured data can be composed of many nested layers, composed of combinations of metadata and raw data, with other simple or structured data. Many properties of raw data or metadata may need to be validated upon entry into the code, such as: Implied or derived properties of data must often be calculated or inferred by the code itself. Errors in deriving properties may be considered a contributing factor to improper input validation.
常见后果
范围:Availability
影响:DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory)
注释:An attacker could provide unexpected values and cause a program crash or arbitrary control of resource allocation, leading to excessive consumption of resources such as memory and CPU.
范围:Confidentiality
影响:Read Memory, Read Files or Directories
注释:An attacker could read confidential data if they are able to control resource references.
范围:Integrity, Confidentiality, Availability
影响:Modify Memory, Execute Unauthorized Code or Commands
注释:An attacker could use malicious input to modify data or possibly alter control flow in unexpected ways, including arbitrary command execution.