CWE-829: Inclusion of Functionality from Untrusted Control Sphere
When including third-party functionality, such as a web widget, library, or other source of functionality, the product must effectively trust that functionality. Without sufficient protection mechanisms, the functionality could be malicious in nature (either by coming from an untrusted source, being spoofed, or being modified in transit from a trusted source). The functionality might also contain its own weaknesses, or grant access to additional functionality and state information that should be kept private to the base system, such as system state information, sensitive application data, or the DOM of a web application.
This might lead to many different consequences depending on the included functionality, but some examples include injection of malware, information exposure by granting excessive privileges or permissions to the untrusted functionality, DOM-based XSS vulnerabilities, stealing user's cookies, or open redirect to malware (CWE-601).
Modes of Introduction
| Phase | Note |
|---|---|
| Implementation | REALIZATION: This weakness is caused during implementation of an architectural security tactic. |
Relationships
| View | Weakness | |||||||
|---|---|---|---|---|---|---|---|---|
| # ID | View | Status | # ID | Name | Abstraction | Structure | Status | |
| CWE-1000 | Research Concepts | Draft | CWE-669 | Incorrect Resource Transfer Between Spheres | Class | Simple | Draft | |
| CWE-1003 | Weaknesses for Simplified Mapping of Published Vulnerabilities | Incomplete | CWE-669 | Incorrect Resource Transfer Between Spheres | Class | Simple | Draft | |
Common Attack Pattern Enumeration and Classification (CAPEC)
The Common Attack Pattern Enumeration and Classification (CAPECâ„¢) effort provides a publicly available catalog of common attack patterns that helps users understand how adversaries exploit weaknesses in applications and other cyber-enabled capabilities.
CAPEC at Mitre.org| # ID | Name | Weaknesses |
|---|---|---|
| CAPEC-175 | Code Inclusion | CWE-829 |
| CAPEC-201 | Serialized Data External Linking | CWE-829 |
| CAPEC-228 | DTD Injection | CWE-829 |
| CAPEC-251 | Local Code Inclusion | CWE-829 |
| CAPEC-252 | PHP Local File Inclusion | CWE-829 |
| CAPEC-253 | Remote Code Inclusion | CWE-829 |
| CAPEC-263 | Force Use of Corrupted Files | CWE-829 |
| CAPEC-538 | Open-Source Library Manipulation | CWE-829 |
| CAPEC-549 | Local Execution of Code | CWE-829 |
| CAPEC-640 | Inclusion of Code in Existing Process | CWE-829 |
| CAPEC-660 | Root/Jailbreak Detection Evasion via Hooking | CWE-829 |
| CAPEC-695 | Repo Jacking | CWE-829 |
| CAPEC-698 | Install Malicious Extension | CWE-829 |
CVEs Published
CVSS Severity
CVSS Severity - By Year
CVSS Base Score
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
|---|---|---|---|---|---|---|---|---|---|---|---|
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |