CWE-494: Download of Code Without Integrity Check
ID
CWE-494
Abstraction
Base
Structure
Simple
Status
Draft
Number of CVEs
124
The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.
An attacker can execute malicious code by compromising the host server, performing DNS spoofing, or modifying the code in transit.
Modes of Introduction
| Phase | Note |
|---|---|
| Architecture and Design | OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. |
| Implementation |
Applicable Platforms
| Type | Class | Name | Prevalence |
|---|---|---|---|
| Language | Not Language-Specific |
Relationships
| View | Weakness | |||||||
|---|---|---|---|---|---|---|---|---|
| # ID | View | Status | # ID | Name | Abstraction | Structure | Status | |
| CWE-1000 | Research Concepts | Draft | CWE-345 | Insufficient Verification of Data Authenticity | Class | Simple | Draft | |
| CWE-1000 | Research Concepts | Draft | CWE-669 | Incorrect Resource Transfer Between Spheres | Class | Simple | Draft | |
| CWE-1003 | Weaknesses for Simplified Mapping of Published Vulnerabilities | Incomplete | CWE-669 | Incorrect Resource Transfer Between Spheres | Class | Simple | Draft | |
Common Attack Pattern Enumeration and Classification (CAPEC)
The Common Attack Pattern Enumeration and Classification (CAPECâ„¢) effort provides a publicly available catalog of common attack patterns that helps users understand how adversaries exploit weaknesses in applications and other cyber-enabled capabilities.
CAPEC at Mitre.org| # ID | Name | Weaknesses |
|---|---|---|
| CAPEC-184 | Software Integrity Attack | CWE-494 |
| CAPEC-185 | Malicious Software Download | CWE-494 |
| CAPEC-186 | Malicious Software Update | CWE-494 |
| CAPEC-187 | Malicious Automated Software Update via Redirection | CWE-494 |
| CAPEC-533 | Malicious Manual Software Update | CWE-494 |
| CAPEC-538 | Open-Source Library Manipulation | CWE-494 |
| CAPEC-657 | Malicious Automated Software Update via Spoofing | CWE-494 |
| CAPEC-662 | Adversary in the Browser (AiTB) | CWE-494 |
| CAPEC-691 | Spoof Open-Source Software Metadata | CWE-494 |
| CAPEC-692 | Spoof Version Control System Commit Metadata | CWE-494 |
| CAPEC-693 | StarJacking | CWE-494 |
| CAPEC-695 | Repo Jacking | CWE-494 |
CVEs Published
CVSS Severity
CVSS Severity - By Year
CVSS Base Score
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
|---|---|---|---|---|---|---|---|---|---|---|---|
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |
Loading...