{"@ID": "628", "@Name": "Function Call with Incorrectly Specified Arguments", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Draft", "Description": "The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses.", "Extended_Description": {"xhtml:p": "There are multiple ways in which this weakness can be introduced, including:", "xhtml:ul": {"xhtml:li": ["the wrong variable or reference;", "an incorrect number of arguments;", "incorrect order of arguments;", "wrong type of arguments; or", "wrong value."]}}, "Related_Weaknesses": {"Related_Weakness": {"@Nature": "ChildOf", "@CWE_ID": "573", "@View_ID": "1000", "@Ordinal": "Primary"}}, "Weakness_Ordinalities": {"Weakness_Ordinality": {"Ordinality": "Primary", "Description": "This is usually primary to other weaknesses, but it can be resultant if the function's API or function prototype changes."}}, "Applicable_Platforms": {"Language": {"@Class": "Not Language-Specific", "@Prevalence": "Undetermined"}}, "Modes_Of_Introduction": {"Introduction": {"Phase": "Implementation"}}, "Common_Consequences": {"Consequence": {"Scope": ["Other", "Access Control"], "Impact": ["Quality Degradation", "Gain Privileges or Assume Identity"], "Note": "This weakness can cause unintended behavior and can lead to additional weaknesses such as allowing an attacker to gain unintended access to system resources."}}, "Detection_Methods": {"Detection_Method": {"Method": "Other", "Description": "Since these bugs typically introduce incorrect behavior that is obvious to users, they are found quickly, unless they occur in rarely-tested code paths. Managing the correct number of arguments can be made more difficult in cases where format strings are used, or when variable numbers of arguments are supported."}}, "Potential_Mitigations": {"Mitigation": [{"Phase": "Build and Compilation", "Description": "Once found, these issues are easy to fix. Use code inspection tools and relevant compiler features to identify potential violations. Pay special attention to code that is not likely to be exercised heavily during QA."}, {"Phase": "Architecture and Design", "Description": "Make sure your API's are stable before you use them in production code."}]}, "Demonstrative_Examples": {"Demonstrative_Example": [{"@Demonstrative_Example_ID": "DX-62", "Intro_Text": "The following PHP method authenticates a user given a username/password combination but is called with the parameters in reverse order.", "Example_Code": {"@Nature": "Bad", "@Language": "PHP", "xhtml:div": {"xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": {"xhtml:br": [null, null], "xhtml:i": "// authenticate user", "#text": "..."}}, "xhtml:br": [null, null], "#text": "function authenticate($username, $password) {}\n                     authenticate($_POST['password'], $_POST['username']);"}}}, {"@Demonstrative_Example_ID": "DX-63", "Intro_Text": "This Perl code intends to record whether a user authenticated successfully or not, and to exit if the user fails to authenticate. However, when it calls ReportAuth(), the third argument is specified as 0 instead of 1, so it does not exit.", "Example_Code": {"@Nature": "Bad", "@Language": "Perl", "xhtml:div": {"xhtml:div": [{"@style": "margin-left:1em;", "xhtml:br": [null, null], "xhtml:div": {"@style": "margin-left:1em;", "#text": "die \"Failed!\\n\";"}, "#text": "my ($username, $result, $fatal) = @_;PrintLog(\"auth: username=%s, result=%d\", $username, $result);if (($result ne \"success\") && $fatal) {}"}, {"@style": "margin-left:1em;", "xhtml:br": [null, null], "#text": "my $result = CheckAuth($username);ReportAuth($username, $result, 0);DoReallyImportantStuff();"}], "xhtml:br": [null, null, null], "#text": "sub ReportAuth {}\n                     sub PrivilegedFunc{}"}}}, {"@Demonstrative_Example_ID": "DX-64", "Intro_Text": "In the following Java snippet, the accessGranted() method is accidentally called with the static ADMIN_ROLES array rather than the user roles.", "Example_Code": {"@Nature": "Bad", "@Language": "Java", "xhtml:div": {"xhtml:br": [null, null, null], "xhtml:div": [{"@style": "margin-left:1em;", "xhtml:br": null, "#text": "String[] userRoles = getUserRoles(user);return accessGranted(resource, ADMIN_ROLES);"}, {"@style": "margin-left:1em;", "xhtml:div": {"xhtml:br": [null, null], "xhtml:i": "// grant or deny access based on user roles", "#text": "..."}}], "#text": "private static final String[] ADMIN_ROLES = ...;public boolean void accessGranted(String resource, String user) {}\n                     private boolean void accessGranted(String resource, String[] userRoles) {}"}}}]}, "Observed_Examples": {"Observed_Example": {"Reference": "CVE-2006-7049", "Description": "The method calls the functions with the wrong argument order, which allows remote attackers to bypass intended access restrictions.", "Link": "https://www.cve.org/CVERecord?id=CVE-2006-7049"}}, "Taxonomy_Mappings": {"Taxonomy_Mapping": [{"@Taxonomy_Name": "CERT C Secure Coding", "Entry_ID": "DCL10-C", "Entry_Name": "Maintain the contract between the writer and caller of variadic functions"}, {"@Taxonomy_Name": "CERT C Secure Coding", "Entry_ID": "EXP37-C", "Entry_Name": "Call functions with the correct number and type of arguments", "Mapping_Fit": "CWE More Abstract"}, {"@Taxonomy_Name": "SEI CERT Perl Coding Standard", "Entry_ID": "DCL00-PL", "Entry_Name": "Do not use subroutine prototypes", "Mapping_Fit": "CWE More Abstract"}, {"@Taxonomy_Name": "SEI CERT Perl Coding Standard", "Entry_ID": "EXP33-PL", "Entry_Name": "Do not invoke a function in a context for which it is not defined", "Mapping_Fit": "Imprecise"}]}, "Mapping_Notes": {"Usage": "Allowed", "Rationale": "This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.", "Comments": "Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.", "Reasons": {"Reason": {"@Type": "Acceptable-Use"}}}, "Content_History": {"Submission": {"Submission_Name": "CWE Content Team", "Submission_Organization": "MITRE", "Submission_Date": "2007-05-07", "Submission_Version": "Draft 6", "Submission_ReleaseDate": "2007-05-07"}, "Modification": [{"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-09-08", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Description, Relationships, Other_Notes, Weakness_Ordinalities"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-11-24", "Modification_Version": "1.1", "Modification_ReleaseDate": "2008-11-25", "Modification_Comment": "updated Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-10-29", "Modification_Version": "1.6", "Modification_ReleaseDate": "2009-10-29", "Modification_Comment": "updated Detection_Factors, Other_Notes, Weakness_Ordinalities"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-02-16", "Modification_Version": "1.8", "Modification_ReleaseDate": "2010-02-16", "Modification_Comment": "updated Detection_Factors"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-06-21", "Modification_Version": "1.9", "Modification_ReleaseDate": "2010-06-21", "Modification_Comment": "updated Description"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-01", "Modification_Version": "1.13", "Modification_ReleaseDate": "2011-06-01", "Modification_Comment": "updated Common_Consequences"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-27", "Modification_Version": "2.0", "Modification_ReleaseDate": "2011-06-27", "Modification_Comment": "updated Common_Consequences"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-05-11", "Modification_Version": "2.2", "Modification_ReleaseDate": "2012-05-15", "Modification_Comment": "updated Common_Consequences, Demonstrative_Examples, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-10-30", "Modification_Version": "2.3", "Modification_ReleaseDate": "2012-10-30", "Modification_Comment": "updated Potential_Mitigations"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-07-30", "Modification_Version": "2.8", "Modification_ReleaseDate": "2014-07-31", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-11-08", "Modification_Version": "3.0", "Modification_ReleaseDate": "2017-11-08", "Modification_Comment": "updated Applicable_Platforms, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2019-01-03", "Modification_Version": "3.2", "Modification_ReleaseDate": "2019-01-03", "Modification_Comment": "updated Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-02-24", "Modification_Version": "4.0", "Modification_ReleaseDate": "2020-02-24", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2021-03-15", "Modification_Version": "4.4", "Modification_ReleaseDate": "2021-03-15", "Modification_Comment": "updated Detection_Factors, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Relationships"}], "Previous_Entry_Name": {"@Date": "2008-04-11", "#text": "Incorrectly Specified Arguments"}}}
